Cybersecurity has become a top priority for many boards. As a result, cybersecurity reports have become increasingly important— and relevant — to them. They give the board a good understanding of the security posture of the organisation.
Effective cybersecurity reporting requires that information be presented clearly and succinctly so that priorities can be identified, issues can be addressed, and decisions can be made in accordance with the organisation’s strategic goals and risk appetite.
One can appreciate this in theory, but it’s much more difficult to execute: there are no hard and fast rules around this kind of reporting.
There are challenges associated with designing cybersecurity reports for boards. We tackle two of them below.
CHALLENGES WHEN DESIGNING CYBERSECURITY BOARD REPORTS
1.) Cybersecurity reports and dashboards contain too much technical information.
There is a tendency to do a deep-dive into technical specifics with the belief that this will be valuable for board understanding. But that’s not always the case.
Inundating the board with technical information (or the use of jargon) can lead to confusion or impatience. This may fail to give the board an accurate and insightful scan of what the organisation has to confront from a security perspective.
A pragmatic approach would be to review the reports to see whether the board can get a picture of how secure the organisation is — without having to resort to supplemental research or consult with those who have technical expertise to get a comfortable understanding of what’s being conveyed.
2.) The identification of key performance indicators (KPIs) that are relevant to the board is not always a straightforward process.
IT or security executives track many KPIs on a daily basis. But not all of these need to be presented to the board. KPIs that are suitable for sharing with the board are typically those that have an impact on the board’s strategic agenda. This requires thoughtful consideration and discernment. It is important to rely on the big picture and not get lost in the weeds.
STANDARD KPIs and CYBERSECURITY METRICS TO TRACK
There is neither a definitive template nor a singular approach towards determining which metrics to include in a cybersecurity report. A large part of KPI reporting revolves around your organisation’s needs, risk appetite and risk tolerance levels. It’s crucial to have a good grasp on these.
While cybersecurity reporting does not employ a one-size-fits-all approach, some of the most used KPIs shared with board of directors may include:
QUESTIONS YOU NEED TO ADDRESS WHEN REPORTING ON CYBERSECURITY
As highlighted in the informative article linked to above, there are also a number of questions that your report or presentation should answer:
1. What is the organisation’s cyber risk level?
Consider your organisation’s risk appetite and risk tolerance.
2. What are the organisation’s top risks?
Determine where risk is concentrated and which risks require additional attention. Factor in their financial impact.
3. How is the organisation’s risk posture trending? Is risk increasing or decreasing?
Compare your cybersecurity performance to the organisation’s risk appetite statements.
4. Is the organisation’s level of cybersecurity spending appropriate?
Use data to effectively show the ROI on cybersecurity investments.
5. What is the cyber risk associated with new business prospects?
There are two factors to consider in this area: 1.) the need to vet all prospects to evaluate the cybersecurity risk they pose to your organisation and 2.) informing the board of the processes you have in place for managing and monitoring this risk.
Management guru, Peter Drucker, once said: “what gets measured, gets managed.” This applies to cybersecurity metrics.
But for the board to arrive at a solid understanding of the organisation’s cybersecurity posture and manage it, information technology and security executives need to be cognisant of delivering data that’s actionable, useful, and relevant.
There’s a need to edit and streamline information. “The more, the better” does not always hold true in this matter.