Top 3 Cybersecurity Metrics For Board of Directors


November 4th, 2016

Our team partners with many companies who are challenged with the same objective: Give a compelling and clear understanding of the cyber security program to the Executive Committee and the Board of Directors.  If you are looking to solve this same objective then continue reading about the top 3 cybersecurity metrics for board of directors.

Like everything else in life arriving at the end result is never a very straight path there are bound to be curves and peaks and valleys along the way. However we offer a simple guide to get you the results because in the end results are what matter.

Metric 1: Cybersecurity Program Score
You may be asking what this score is, what it means and how is it created? Our industry is riddled with frameworks, regulations, varying degree’s of multiple approaches to in the end achieve the same desired outcome. Historically security programs were measured using risk and audit with audit as the primary driver for creating a security program.  Audit was often the result of outside regulatory or customer pressure or inquiry to a set of pre-defined best practices. Our industry has matured to a point where companies are proactively adopting frameworks like NIST CSF or ISO27001: 2013 to manage with a set of widely known best practices. So to begin with an overall program score many companies look to a risk assessment for an overall view to communicate risk as it relates to the important digital business assets. Although this is a very important exercise it does fall short in delivering an overall program score and telling a meaningful story to the business leadership. To convey the effectiveness and capacity of a cybersecurity program instead look to an overall maturity score.  Using a maturity score is also much easier to tie back to a business story around investment of the program and outcomes from previous investments driving toward an overall maturity score. Maturity scores also give leading indicators to areas of higher risk and further support a classic risk assessment report.

Metric 2: Incident Summary

Every company should have a defined incident response process that is rehearsed and refined over time. Board members and executive committee’s want to understand at a high-level how many incidents occurred in a general category rating.  Such as 10 – High Impact Incidents; 5 Medium Impact Incidents and 25- Low Impact Incidents.  This translates into how well the team’s are at detecting, mitigating and resolving incidents. Incident summary tracking over time (trending) becomes important as it can lead to indicators of what is to come or areas where additional emphasis should be applied. For example, an upward trend in PII-related incidents may be a symptom of growth and fast hiring in customer service where opportunity exists to emphasize additional privacy or security training of data handling practices. In general leadership is genuinely interested in the capability of incident response and preventing these incidents from turning into data breach or data loss events.

Metric 3: Brand Protection Score

Like anything you can make this a very complicated and laborious process but it does not have to be.  SO KEEP IT SIMPLE!  Instead of getting your marketing, communications and PR firm involved simply report on what you know.  A major catalyst for investment in security is to protect the brand.  Therefore know how many incidents occurred that were made publicly available via media or press release. Also understand how internal customer satisfaction with cyber security services compare to that of external customer satisfaction to give context.  These numbers can range on a 10 point scale or as a percentage of overall satisfaction.  Finally to round out the Brand Protection Score consider including a score (response time or % success rate) to take down fraudulent sites leveraging your brand and shut down email spoofing scams posing as the company’s domain or a variation thereof.