5 steps to make your security metrics more meaningful to the board


Communicate cybersecurity to your board of directors in their language

83% of boards believe cybersecurity is a top priority.
Harvard Business Review

With the US Securities and Exchange Commission’s new proposals around cybersecurity risk management, strategy, governance and incident disclosure, public companies may need to start reporting regularly on the state of their cybersecurity programs. This would include how their boards oversee cyber risk and are kept informed about security matters.

While a recent survey from Harvard Business Review found that 83% of boards believe cybersecurity is a top priority1, they need your help to understand it. The same study revealed that many board members have not been requesting updates on cybersecurity or participating in threat response planning. Boards will need to get more involved with corporate cybersecurity and risk programs to comply with the proposed regulations.

Communicating the state of security programs to the board has long been a challenge for CISOs and security leaders. Few board members have threat-hunting experience—they excel in business. So how do you turn metrics you collect from your various security tools into something that can help your board see the bigger cybersecurity picture?

You need to speak your board members’ language by framing metrics in ways they can understand. Knowing how many threats were blocked on a given day or how many employees failed the monthly phishing test is great for your security team, but won’t mean much to the board.

Here are some steps you can take to make your metrics more meaningful to the board:

  1. Establish consistent measurements

    This is as important to the security team and CISO as it is to the board, but it can be a challenge when using multiple security tools or inconsistent processes. Metrics must be captured using the same types of data every time to make accurate comparisons. Set up your metrics so they can be measured precisely and consistently.
  2. Provide peer comparison
    Most boards likely don’t have an understanding of what “good” cybersecurity looks like. While you can show performance is improving, they won’t know if you’re going from fair to good or good to great. Comparing your metrics to other companies in your industry provides better context.

    If your CISO has close relationships with other CISOs or you’re part of an Information Sharing and Analysis Center (ISAC), you can present anonymous comparisons. If not, look for surveys by industry associations or security vendors to add context. For example, to someone who isn’t in cybersecurity, hearing that it takes an average of 30 days to remediate critical vulnerabilities sounds slow. But when you add that other comparable organizations need 60 days on average to do the same, your 30 day average looks much more impressive.

  3. Relate metrics to business outcomes
    A recent Gartner survey found that 88% of boards say that cybersecurity is a business issue, not a technical one.2 That’s good news—boards understand the potential business impact of security incidents, like bad press, loss of reputation, fines, and so forth. Help them make this connection by linking your security metrics to business outcomes. For example, a system upgrade needs to be prioritized so it does not jeopardize the organization’s 99.9% uptime goal.

    88% of boards say cybersecurity is a business issue, not a technical issue.
    – Gartner

  4. Quantify risk in financial terms
    Organizations such as IBM and Verizon have published figures year after year that show data breaches cost millions of dollars. Use this information to develop an ROI for your security investments.

    For example, rolling out a new security tool may cost $400k, but if it reduces your risk of a ransomware breach by 20% (the cost of which IBM reports as $4.62M3), we can calculate an ROI of $524k or 131% for that new tool.

    You can also combine security metrics with a risk management tool to provide financial risk calculations. A high-profile vulnerability can have a corresponding business risk that includes financial consequences if the vulnerability were exploited. Only 31% of companies surveyed by SANS Institute4 said they are financially quantifying cyber risk at present, so adopting this method will put you ahead of the game.

    31% of organizations currently financially quantify cyber risk.
    – SANS Institute

  5. Prioritize investment using self-assessments
    Be candid with your board about where you’re doing well and where you need to improve. The NIST Cybersecurity Framework provides detailed categories against which you can assess your organization’s maturity and better identify strengths and weaknesses throughout the entire security lifecycle. With this self-assessment, you can prioritize key projects for future investment and track how your organization’s maturity changes over time.
  6. The NIST Cybersecurity Framework includes guidance on how to self-assess your cybersecurity risk to help measure maturity, costs, and benefits.

Get your board of directors more engaged with cybersecurity by making the reports and metrics relevant to them. By presenting security information through a business lens, you’ll be speaking their language and helping them make better decisions.

  1. Harvard Business Review, Boards Are Undergoing Their Own Digital Transformation, July 2021
  2. Gartner, 6 Key Takeaways from the Gartner Board of Directors Survey, October 2021
  3. IBM, Cost of a Data Breach Report 2021
  4. SANS Institute, SANS Risk Quantification Survey, April 2022