The CISO’s Guide to Reporting Cybersecurity to the Board

Organizations have multiple stakeholders, all of whom have varying levels of cybersecurity knowledge and interest. As a CISO, you need to be able to demonstrate the effectiveness of the cybersecurity solutions you employ with regard to each stakeholders’ area of expertise. Using key performance indicators (KPIs) provides visibility into your network infrastructure which you can use to answer performance-related questions when presenting. This will allow you to explain business risks and mitigation strategies in terms your board of directors will understand, ensuring that all parties are aligned.

Determining presentation goals and style

When creating your presentation, you should only include relevant information and focus on being concise with your explanations. Succinctly presenting cybersecurity performance makes it easier for board members to absorb the information that you are sharing with them. Using KPI data is recommended as it provides context into cybersecurity programs that can be used by the board when assigning a budget for cybersecurity.

Selecting the right cybersecurity KPIs for a board of directors

From a technical standpoint, you know the primary KPIs for proving effective cybersecurity control monitoring. Some most-used KPIs include:

• Intrusion Attempts: number of times malicious actors tried to gain unauthorized access to systems, networks, and software
• Mean Time to Detect (MTTD): Time it took to detect security threats
• Mean Time to Resolve (MTTR): Time it took to respond to a cyber attack
• Mean Time to Contain: Time it took to re-secure the attack location
• Patching Cadence: Frequency of installing security patches
• Comparison with Peers: Your cybersecurity posture compared to industry peers’ posture
• Vendor Risk Management (VRM): The way in which your organization mitigates supply chain cybersecurity risk to prevent third-parties from causing a data breach

However, translating these technical data points into management level metrics becomes challenging when reporting to the Board since they give little visibility into the financial and reputational risks.

Can security ratings platforms explain technical KPIs in business language?

The short answer to this is, “not in so many words.” The longer answer is that they do provide you a way to discuss the technical KPIs so that your Board understands both the risks associated with the business and how well you’re managing those risks.

Security ratings, while they may not necessarily use technical language, address all of the KPIs that matter to you as a CISO. As such, they can act as a bridge between your technical knowledge and the Board’s business-focused needs. However, when reporting these metrics, you often need to give not just the “what” but also the “why” when reporting to the Board.

Answering the right questions

Cyber risk management has become integral to organizational success and boards know this. Board members need to know how well equipped their organization is to handle cyber risk. As a CISO, it is your job to relay this information while presenting.

Below is a list of questions you should aim to answer in your presentation:

What is the organization’s cyber risk level?

To convey the overall risk level, you should highlight both your organization’s risk appetite and risk tolerance levels. Risk appetite is a predefined level of risk that is deemed acceptable by an organization. Risk tolerance is the measure of how much risk an organization can handle before becoming unsustainable. Using these measurements allows you to represent your organization’s overall cyber risk as it pertains to cybersecurity performance.

What are the organization’s top risks?

When determining your organization’s top risks you need to evaluate the historical impact individual cyber threats have had on your company’s bottom line. By looking at the financial impact of successful attacks, you can create a qualitative risk analysis and display top risks side by side. This will help you explain where risk is concentrated and which risks require additional attention.

How is the organization’s risk posture trending? Is risk increasing or decreasing?

To see which way your risk posture is trending, you should compare your cybersecurity performance to the organization’s risk appetite statements. Evaluating how well your cybersecurity solutions uphold your risk appetite will give your board an idea of whether risk is increasing or decreasing. Leveraging threat intelligence can help you visualize risk posture and show where improvements can be made.

Is the organization’s level of cybersecurity spending appropriate?

Determining whether or not you are spending enough money on cybersecurity can be difficult as there is no way to quantify the financial loss from a cyber attack until after it has occurred. That said, using data to show the ROI on cybersecurity investments illustrates how effectively money is being spent. Showing the return on investment will influence your board’s cybersecurity budget allocation and ensure that spending is done in a way that sustains your security capabilities.

What is the cyber risk associated with a new business prospect?

New business prospects provide an opportunity for growth, but can also introduce additional cyber risk. Showing the board that you are doing your due diligence when it comes to identifying potential business opportunities is crucial. You should be vetting all prospects to evaluate the general risk they pose to your organization. Additionally, be sure to highlight the processes you have in place to monitor your current partners’ risk.

Explaining key security details to the board

When presenting, it is important to explain cybersecurity matters in a way that both makes sense to and benefits the board.

Here are some examples of how you can explain key cybersecurity matters to your board of directors:

How to explain intrusion attempts

The word to focus on here is “attempt.” Malicious actors will always attempt to gain entrance to data, the question is where cybercriminals focus their attacks and your ability to thwart them.

For example, if you’re continuously monitoring all organizational IP addresses and know the types of information associated with those addresses, you can gain visibility into the key business risks. Assume that, as part of your monitoring, you find that malicious actors focus on IP addresses associated with your corporate website. You know that no customer portal exists on the site, and internal users accessing the backend must use unique logins and passwords. Since the organization doesn’t store non-public information (NPI) on that address and the likelihood of credential theft providing access to systems, networks, and software storing NPI is low, you can tell the Board that the financial risk is low while the reputation risk is medium.

How to explain Mean Time to Detect (MTTD)

Ultimately, the main information you need to give your Board about this metric is: the time was short. The faster you can detect a risk, the more rapidly you can mitigate the threat. If your dashboard shows that you continuously monitor and maintain a consistent security rating, then you can easily explain the link between the two. Your Board can easily see that you maintain a robust security posture as long as you can say, “we were able to detect security threats within hours, meaning that we were able to mitigate them rapidly to prevent additional risk to the organization.”

How to explain Mean Time to Respond (MTTR) and Mean Time to Contain (MTCC)

Unfortunately, despite the best detection methods, malicious actors will more likely than not find a way to infiltrate your organization’s security defenses. Response time, then, becomes the next most important metric for your dashboard. The 2019 IBM Cost of a Data Breach report noted that employing artificial intelligence (AI) platform reduced the costs of a data breach by $230,000 on average. With an AI platform, you can real-time visibility into the threat vector associated with the security incident, meaning that you can more rapidly respond to the threat.

If your security rating platform provides visibility into the risk factor associated with the security incident, you can prove how rapidly your team responded. For example, if the cybercriminals gained access to your systems using a cross-site scripting attack and your platform reviews for web application security as a risk factor, you can easily see the lowered score to respond directly to that issue. Then, you can monitor the risk factor and provide the increased score post-response as a metric for proving rapid response time. Additionally, the improved score gives a metric that provides the Board confidence over your ability to contain the threat. If the improved, post-incident risk factor score stays stable, you can show that the threat has been successfully contained.

How to explain patching cadence

Proving that all systems are continuously updated according to best practices can be challenging. The 2017 Equifax data breach arose from a single unpatched server. With a security rating platform that monitors patching cadence across all endpoints, you can gain insight into how well your organization maintains its patching cadence. A high score for that risk factor indicates that you are appropriately updating all devices, systems, networks, and software to mitigate risk. With this metric, you can tell the Board that your ability to view all of these locations and effectively update them lowers their financial and reputation risks.

How to explain vendor risk management effectiveness

Your security ratings platform enables you to review all of your vendors in the same way that you manage your own security. Often, organizations lack visibility into their supply chain risk. The IBM Cost of a Data Breach Report also noted that breaches caused by third-parties cost $370,000 more than other breaches.

If you’re continuously monitoring your supply stream with a security ratings platform, you can give your Board confidence over technology decisions. In the same way that you use these metrics to prove your own cybersecurity posture, you can prove governance over your vendors. Not only can you show the Board that your supply stream is secure, but you can also give data surrounding your monitoring, including your communications with them and their response times.

How does the organization compare to its peers?

Annually, Boards of Directors review their position within their market. Security ratings platforms enhance their ability to gain insight into how well they compare with their peers which impacts their annual financial planning.

Security ratings platforms collect publicly available information which means that you can use the ratings to share your performance in a business-level language. If your security rating is lower than that of a peer, you can drill down into the risk factors associated with the ratings – both your own and those of your competitors. If one risk factor is causing the difference, then you can more easily report to your Board about how to improve the score and the budget they need to allocate to meet the market-level standard.

On the positive side, if your security ratings are stronger than peers, you can explain to your Board that you manage cybersecurity risks more effectively than your competitors do. Drilling down to the individual factors across your industry allows you to show your team’s expertise and gives the Board confidence in your abilities as a CISO. Additionally, you can use these scores as metrics to prove your ability to maintain effective information security controls as the Board looks toward new business objectives such as cloud migration.

SecurityScorecard enables effective cybersecurity KPIs for the Board

SecurityScorecard provides easy-to-read A-F ratings across ten groups of risk factors including DNS health, IP reputation, web application security, network security, leaked credentials, hacker chatter, endpoint security, and patching cadence. For CISOs trying to provide effective reports to their Boards of Directors, we bridge the gap between technical information and business-level needs.

Instead of giving long explanations with technical details, you can provide at-a-glance visibility into your continuous cybersecurity monitoring. Consistent ratings across all factors and a brief explanation of how those translate to business imperatives, such as financial or reputation risk, can give your Board the information necessary to make strategic decisions.

The platform incorporates portfolio creation so that you can review vendor risk by an individual vendor, cohort, or industry. These capabilities alert you to potential risks so that you can communicate them effectively to your Board, aligning a low-score with a high risk. For example, organizations with a D or F rating are considered five times more likely to experience a data breach. Thus, you can give your Board better risk management data and explanations by incorporating that into your discussions.