Cybersecurity metrics corporate boards want to see

Cybersecurity pros interested in metrics and measures frequently ponder and pontificate on what measures would be best to show the board of directors. That can be a tricky proposition because “we have to speak like the business” is also a mantra. Coming up with cybersecurity metrics from a business perspective can be a challenge. So how can we solve this problem and provide useful insight?

Well, first we have to recognize that the board level is the highest strategic level in the company. If you provide metrics on patch status and phishing test results, you are essentially admitting that your cybersecurity program is built on a few hodge-podge activities and a prayer.

Cybersecurity pros often malign the “red-yellow-green” types of indicators, but keep in mind that the board doesn’t need technical details or variances. If they can get by with “sales per square foot” metrics in retail stores that sell smartphones and candy bars or “bed utilization” measures for hospitals that treat dehydration and conduct brain surgery, they can work with “bigger picture” scales on three to five levels. “Red-yellow-green” isn’t completely out of the question as long as the levels are defined and have details that explain them. The bigger challenge now is that board members are increasingly becoming liable for negligence, and they really should and do want more insight.  

Top cybersecurity questions from corporate boards

Now we revert to where we started – trying to provide business-oriented board members with technically oriented cybersecurity data at a strategic level. It may be helpful to set a baseline of what board members really want to know about cybersecurity in any company. Here are their top five questions:

1. Are we secure? This question is the bane of many a cybersecurity pro’s existence because the answer now and always will be “no” from a literal 100% protection standpoint. If we rework the question to “what is our exposure level?” we can start to make headway.
2. Are we compliant? This question is often easily answered with audit results but may provide no real comfort due to its “point-in-time” perspective that can change at a moment’s notice. Better to assess our cybersecurity program using a control framework.
3. Have we had any (significant) incidents? Board members will be well-aware of any significant incidents, so this question is usually answered with details as well as estimates regarding costs and potential liability.

I said there are five questions, but the three above are the ones that are typically articulated. These final two are implied as a standard element of good board management:

4. How effective is our security program? Quality first.
5. How efficient is our security program? And then quantity.

Cybersecurity metrics for corporate boards

As we build out our program, our goal should be to directly translate the most detailed technical data into a strategic framework that is understandable at the business level. We should also factor in the fact that board members are not stupid, and they can learn anything they need to that helps them make strategic decisions. Technology is taking over their lives just like ours, and with the entire world going through digital transformation, it has been amazing how easily they have picked up SaaS metrics as needed.

We are going to work with metrics on:

• IT assets (number of users, devices, servers, apps, etc.)
• Usage activity (sessions, flows, messages, etc.)
• Process controls (user account create/modify/delete; vuln detect/patch, incident detect/respond, etc.)
• Real-time (inline) controls (antimalware, firewall, email security, etc.)
• Incidents

Here is a good core set of board metrics that provide strategic insight into the enterprise cybersecurity program:

• Cyber risk: the percentage of inappropriate usage activities out of all usage activities
• Cybersecurity efficacy: percentage reduction in cyber risk provided by the real-time cybersecurity controls
• Cyber exposure: average number of usage activities per IT asset
• Cyber resilience: average number of real-time controls applied for each usage activity
• Risk aversion ratio: the willingness to accept productivity impairment (e.g., password failures, false positives) compared to the malicious activity allowed or denied (true positives plus false negatives)

In addition, we need to factor in costs and value. After all, financial information is the lingua franca of the business world:

• Loss to value ratio: spending on cybersecurity including incident losses compared to financial value provided by IT assets.
• Control cost per IT asset (probably application): allocated costs of cybersecurity controls by IT asset
• Risk reduced per unit cost: financial value of reduced risk compared to total cybersecurity spending

Look at the board proceedings and earnings call transcripts for publicly traded companies, or even the vast number of financial ratios on your favorite investing websites, and you will see that the metrics described above are at a much more appropriate strategic level than the mishmash of patch levels and malware found.

If we want executives to take cybersecurity seriously in the enterprise, this is the way to get there.