The US Securities and Exchange Commission is increasing the pressure on CISOs and boards of directors to enhance transparency around their organizations’ cybersecurity capabilities and to expedite the disclosure of breaches to investors. This has elevated the importance of cyber reporting and metrics for companies in the current year, with boards insisting on a more robust approach to tracking key performance indicators (KPIs) and key risk indicators (KRIs) and using these metrics to advise and report to the board.
A recent primer titled “The Cyber Savvy Boardroom,” written by Homaira Akbari, CEO of AKnowledge Partners, and Shamla Naidoo, head of cloud strategy at Netskope, has gained attention for its in-depth coverage of cybersecurity metrics and reporting practices. The primer emphasizes the importance of operational metrics that track cybersecurity activities and outcomes. It highlights the essential role of these key performance indicators in illuminating an organization’s cybersecurity capabilities, evaluating the efficiency of cyber controls, and helping the board of directors gauge the adequacy of investments in technology and talent.
The primer outlines various categories of metrics that are crucial for CISOs to track and share with the board to report on risk levels and security performance. These includes data metrics, financial assets, metrics related to people, supplier-related security operations risks and performance levels, infrastructure, user-controlled devices, new technologies such as IoT, enterprise applications, testing security posture, and incident detection and response.
The data metrics category is designed to scope risk around data assets and track performance in key protection measures for data security, resilience, and continuity. For example, metrics in this category could include the percentage of employee, customer, or user information found on the Dark Web and the depth of data-lake segmentation. Financial asset metrics focus on risks and losses associated with financial assets, such as the value of actual money or cryptocurrency lost directly and the volume of financial data leaked, among others.
People-related metrics are designed to gauge the effectiveness of security awareness training and adherence to security best practices and policies. These could include metrics such as the percentage of phishing email click-through, the number of privileged accounts to total accounts, and the percentage of employees moving data or files out of the enterprise. Supplier-related metrics aim to keep the business informed of trending data and metrics around the self-certification of cybersecurity posture of third parties, external scoring against peers and industry, and continuous monitoring of the posture of third and fourth parties, among other factors.
Infrastructure-related metrics are focused on monitoring and measuring IT infrastructure exposures and security capabilities in mitigating risks across network and hardware assets. These could include metrics related to the number of servers or hardware approaching end of life, the secure configurations of all assets, and the level of automation of inventory and control of hardware assets.
User-controlled devices represent an area of focus for CISOs to ensure the level of control their organizations have over shadow IT and other user-controlled devices operating on the network. This category could include metrics such as the number of unidentified devices on the network, the number of devices with unpatched software, and the number of threats detected and prevented by the endpoint solution.
The primer also highlights the importance of tracking new technologies, such as IoT, and suggests metrics around non-upgradable or patchable IoT devices, as well as the depth of IoT segmentation from enterprise resources. The authors stress that the same approach could work for all emerging technology, with metrics around use and risk exposure levels from AI use in the organization.
Enterprise applications represent some of the biggest attack surfaces in the enterprise today, and metrics related to known open software vulnerabilities, software patches outstanding, and the number of zero-day software vulnerabilities are deemed important to track. Testing security posture, incident detection and response, and a number of other categories of metrics are also identified as crucial for CISOs to monitor and report to the board.
Overall, the primer emphasizes the need for security teams to translate these metrics into assessments and dashboards that are easy for the board of directors to digest. By doing so, CISOs can provide the board with a data-backed model for determining the efficacy of an organization’s program and identifying gaps in protection across various areas of the enterprise. Ultimately, the primer underscores the critical role that cybersecurity metrics and reporting play in helping organizations bolster their cybersecurity capabilities and inform more informed decision-making at the board level.