Every executive team cares about business risk. Leaders actively trying to manage risk have realized that cyber-threats now represent the lion’s share of potential harm, and they want timely KPI metrics and insights aligned with business priorities.
In fact, according to a 2019 survey by the Enterprise Strategy Group, 39% of executives and directors want security status reports for cyber-risk associated with end-to-end business processes and 35% want better detail on the ROI of their security investments and planned purchases.
Here are three essentials you can give your board to help them understand the business’s cyber-stance.
The Company’s Current Security Posture
How good is your security? How effective are your controls? Your security posture reflects the effectiveness of your current security controls against potential cyber-attacks, including internal and external-facing security controls across your infrastructure. There’re more than one way to measure an organization’s security posture, but the idea is to present an objective, vendor-agnostic metric that you can obtain on an ongoing basis, without having to rely on the periodic third-party security assessments you may be performing on a monthly or quarterly basis.
As enterprises rely on an average of over 80 security products, this number should reflect how well these solutions work in concert to defend against the entire lifecycle of a threat, from attack delivery, to system compromise to lateral movement and beyond.
At first blush, providing your board with an up-to-the-moment security posture metric may seem impossible. But security vendors have been catching on to this need, and an increasing number of them are offering exposure metrics and cybersecurity risk scores, as well as industry benchmarks that compare your score with others in your industry. And vendors are not alone. Ratings agency Moody’s has recently announced a joint venture with cyber group Team8 for creating a global cybersecurity risk assessment standard for businesses.
Is your organization about to merge or acquire another company? Getting an objective assessment of their security posture would also be important, to save the soon-to-be-merged company the grief of finding out about poor security practices only after the fact (read Verizon’s lowered bid for Yahoo).
Defensibility Against the Very Latest Threats
“Are we vulnerable to that ransomware that hit Baltimore?” Reports of companies and cities falling victim to ransomware and other malware menaces have become a daily occurrence. Understandably, CISOs get called up by their CEOs or other executives seeking to know if they are vulnerable to the latest threats that made the headlines. By keeping tabs on the latest threat intelligence, and specifically, their indicators of compromise (IoCs) security managers can quickly answer that question and convey to the board if the business is vulnerable or not.
Of course, there are signature-less attacks and zero-days (known unknowns) that require behavioral detection, but as far as knowing if you’re at risk from an already-known threat, this is easy to do to reassure your board, or explain why you need to beef up resources for a particular area of security.
ROI on Security Investments
Which leads us to the next insight your board wants to know: What is the ROI on the company’s security investments? Is the IT or security team actually putting its money where its risk is? By sharing with your board where your company is most and least vulnerable, you will be better positioned to prove that you are putting budget and manpower where the company needs it most.
A good place to start to prove effective spending to the board would be to share where your team is seeing the most vulnerability or threat exposure. And in light of that exposure, what resources are being allocated to address it? Maybe the company is seeing high risk with regards to attempted attacks on its consumer-facing application? This may require allocating some effort or budget to harden your WAF (web application firewall), or to compare its performance against an alternative one.
It could be that your controls are working impeccably, but too many employees are clicking on faux-phishing emails and it’s time to invest in additional training. Alternatively, there are concerns about access by third parties to your network or cloud resources, and stronger access controls are required. In any event, the ROI on technical or human control improvements should be demonstrated.
Lastly, your board will likely want to understand how security investments are improving the company’s overall security posture. To address this need, it is imperative to track security posture metrics over time, enabling you to demonstrate the impact made by your budget prioritization. Alternatively, if there’s high employee turnover or you have insufficient resources, you may be able to explain the dip in your defense’s performance in light of an ever-fluctuating threat landscape.