The roles and responsibilities of the board of directors (boards) in ensuring the security of their organizations is expanding – both due to the increasing perilousness of the cyber risk and threat landscape and as the result of new regulatory requirements.
Boards today are interested not only in the business side of it, for example, knowing the return on investment in cyber risk management activities, but also in the technology side of it – the IT infrastructure comprising of on-premises and cloud-based assets, networks, applications, and resources, the third-party ecosystem, the cyber defense and resilience mechanism including the control environment and security measures in place, and more.
The onus to effectively communicate the security and risk-related information to the board and the C-suite in a timely and lucid manner primarily falls on the CISO. Although there is a blossoming trend of appointing Business Information Security Officers (BISOs), the key responsibilities still lie firmly with the CISO. Since boards majorly consist of non-technical executives, it is essential that this risk information is conveyed in easy-to-understand, business-oriented language, which may enable them to first, understand the true potential of risks and their impact, and second, to be able to make strategic decisions that can keep the organization protected while managing budget and resource constraints.
Lack of effective communication not only leads to insufficient or inappropriate action, but may also lead to conflicts and reputational issues and exposes the organization to higher risks. It is imperative for CISOs to choose the relevant and essential metrics to report on, which can aid in fulfilling the above requirements.
Cyber risk and IT compliance metrics are essential not only to gauge the effectiveness of an organization’s cyber governance, risk, and compliance (Cyber GRC) strategy and program, but also to manage and effectively communicate risks to the board. They are also critical indicators of overall status, unresolved issues, and potential risk events that can adversely impact organizations.
The CISO and security team measure and track a plethora of such metrics – risk appetite and tolerance, security incidents, configurations, mean time to detect, control maturity, business continuity planning and impact analysis, employee awareness, frequency of training programs, and many more. When reporting these to the board, the CISO should be clear about the objectives behind the reporting. Since the board is responsible for implementing strategies that drive business value, they must receive and review the cyber metrics in a manner that helps them in this process.
Which brings us to the question – what information should the board be made aware of?
The most common and obvious answer is, of course, understanding the security and compliance posture. However, there are several other aspects too.
First, there is no one-size-fits-all metrics reporting template. Understanding the information sensitivity, domain, sector, size, culture, and resources of the organization should be the foundation of all such metrics reporting. As an example, the nature of data being handled, the regions being operated in, the regulations in those regions, and so on will affect the kind of metrics being reported to the board.
Further, the metrics will depend on the ecosystem of the organization. For example, if a company were to scale its operations by engaging a network of third parties, then metrics concerning such third-party activity and their SLAs must also find prominence in any reports to the board.
In another scenario, say, if a company were downsizing and facing budget cuts, the decision-makers would want to know the best way to do so without impacting the overall security posture. This would require looking at metrics such as IT team headcount, productivity, use of AI technology, IT vendors, spending on cyber projects, etc.
Another aspect to consider is the purpose of the report. There are regular review processes that help to determine the cybersecurity strategy, budget, and program. This involves metrics such as the number of security incidents in a year, the total number of critical assets, top risks, threats, and vulnerabilities, the number of access control violations, control maturity practice score, the number of critical and non-critical third parties, mean time to respond to security incidents, total third-party spend, compliance status, number of open issues, and many more. Then there are particular use-case reports such as detailing an incident or planning for a corporate acquisition/merger or entering a new line of business. In these cases, different types of reports with specific metrics need to be reported on and this should be in addition to (and not instead of) the regular reports.
Keeping it simple always works best. Not all board members will have the technical expertise to understand the relevance or criticality of every metric that is being reported. It is therefore crucial to report the metrics in terms that anyone can interpret and understand. For example, in addition to presenting them with the risk assessment matrix, color-coded for depicting high, medium, and low risk, communicate the risk exposure in monetary or dollar terms using risk quantification.
Another best practice is to segregate the metrics into different categories, such as
One of the best ways to communicate technical information to non-technical people is to use analogies. As an extremely simplified example, instead of trying to highlight the benefits of ECC encryption over RSA, one can simply portray it as ECC having a 12-lever lock versus RSA, which has a 6-lever lock. The use of real-world examples can go a long way in ensuring board understanding and makes the most fact-based decisions.
Regulations around cybersecurity and cyber risk management are increasing quickly. In recent months, we saw the adoption of the SEC’s cybersecurity rules in the US, following the introduction of the Digital Operational Resilience Act (DORA) in the EU, to be fully adopted by 2025.
The SEC’s rules require annual reporting on the board’s oversight of cybersecurity risks, the management’s role and expertise in assessing and managing material cybersecurity risks, as well as how the board/subcommittee is informed about cyber risks. The rules, set to come into force in December 2023, are applicable to publicly-listed organizations.
For a deeper dive, read our recent blog, Achieve Compliance with SEC’s New Cybersecurity Rules.
EU’s DORA was enforced on January 16, 2023 and financial sector organizations will be required to be compliant by January 17, 2025. The act mandates the “management body” of financial entities to define, approve, oversee, and be responsible for the implementation of all arrangements related to the information and communication technology (ICT) risk management framework.
To learn more about this new regulation, download our eBook, Demystifying DORA - Understanding and Preparing for the EU’s Digital Operational Resilience Act.
Given the fast pace at which the cyber risk landscape is evolving, the board’s role and interest in cyber risk management will only grow. For CISOs and security teams, this will require presenting a clear, simple, and accurate picture of the Cyber GRC program. Additionally, it requires effective collaboration and regular communication between the board and the CISO to make the reporting process meaningful, streamlined, and aligned with business goals and objectives. This requires time and effort from both sides, and the best time to start is now.
To learn how MetricStream can help with cyber metrics reporting to the board, contact us today!