We are now approaching the last full week of October, and this means it will be the end of Cyber Awareness month until 2021.  As I have been perusing the news headlines this past week, I have seen the usual ones about the hacks, theft of data, etc. 

But there is a new theme that has started to come out:  How CISOs should report metrics not only to their CEO, but also to their Board of Directors as well.  Simply put, it all comes down to presenting the level of risk that a given company is at, what can be done to bring down as much as possible.

But when presenting to such a group of people, all that matters are numbers, metrics, and of course the bottom line.  Therefore, in order to present a rock-solid report, the CISO is now being tasked to impose a set of metrics and Key Performance Indicators (KPIs) onto their IT Security Team. 

But as we all know, the world of Cybersecurity is always changing on a daily basis, so it thus important to find those metrics/KPIs that will have some meaning to them.

So, how does one even go about first of all even defining this?  It can be difficult, because Cybersecurity is not a sales job where you can impose monthly and yearly quotas.  So, what it all comes down to as that you, the CISO, need to figure out what metrics/KPIs are most relevant to measure your IT Security Team with.  In order to help you get started, here are some tips to keep in mind and use:

*Stay away from just reporting the amount of work that has been done:

Whenever a company procures and implements a new kind of security tool or technology, one of the first knee jerk reactions is to present to the boss just how many alerts and warnings it captured in a certain amount of time.  While this can be good in one sense, think of the flip side:  Just how many of these alerts and warnings were actually false positives?  Probably a good deal of them.  In this regard, probably a much more effective metric would be how many legitimate alerts and messages were captured versus the amount of false positives.  This will clearly demonstrate to you if that new tool or technology is actually doing its job.  In other words, stay away from measuring how much work has been done versus the true effectiveness of the results of that work that has been accomplished.

*Try to find the unhidden trends:

Any company (and yes, even including my small tech writing biz) can collect a lot of information and data.  But there are key differences in the types of this data.  First, there is what is known as the “Structured Data”.  This is the data that is immediately presentable, and that you can glean trends very quickly off of.  Then there is the “Unstructured Data”.  This is where there are hidden and unnoticeable trends in the data that you are collecting.  Truth to be told, this kind of stuff holds a lot more value and meaning that the Structured Data.  For example with this, you can quickly discover any malicious or suspicious behavior, and even predict what the Cyberthreat Landscape will look like into the future.  These kinds of findings will have a lot more meaning as you present your report to the Board of Directors.  This will simply show that you, the CISO, are taking a proactive role in determining what other factors will bring that level of Cyber Risk down even further.

*Try to map your data:

It is one thing to simply collect a bunch of data, aggregate it, and present it to the Board of Directors.  But then it is yet another if you can actually extrapolate that data and determine its bearing on future outcomes.  For example, if your data currently shows that a new threat variant could be coming out, why not use some statistical modeling (such as multiple regression analysis) to actually get a gauge of its odds of the real probability of it emerging and possibly when?  This is also known as “Data Mapping”, and simply put, with these techniques, you are trying to find correlations between both the Structured and Unstructured Data in order to determine what the future could possibly hold.  These correlations are also technically referred to as “mapping”.  Think this is a complicated process?  In theory it is, but keep in mind that there are many tools out there that can compute all of this for you in just a matter of a few minutes, especially when it comes to both Artificial Intelligence (AI) and Machine Learning (ML) software packages.

*Present only what is requested:

As a CISO, it is only human nature to present all of the metrics and KPIs to your Board of Directors to show that you have done your job well.  But you know what?  As sad as it may sound, they really don’t care.  They are only interested in one thing:  The bottom line.  So therefore, get together with your CIO and even CEO if need be, and figure which of those metrics and KPIs your Board wants to know about.  This will be the most effective use of not only your time, but there’s as well.

*Always present progress:

As a CISO, one of the key areas in which you will be grilled in is about the effectiveness of the controls that you have put into place in order to mitigate and bring down your current level of Cyber Risk. While it is important to show the snapshot at the current state of time, a group of metrics and KPIs that will be especially relevant is to demonstrate not only that, but how new strategies implemented now will bring that level of Cyber Risk down into the future.  In other words, you trying to show progress by correlating what is happening now to what is projected into the future.  Of course, the reality is that you may not have all of the tools and technologies currently in place to do this, but this is your prime time opportunity to ask for that much needed funding because you are showing that with these extra resources, the level of Cyber Risk exposure can realistically come down.

My Thoughts On This

Well, there you have it, some key ideas on how to craft out some metrics KPIs and metrics that will be especially relevant to your Board of Directors.  But this is by no means an exhaustive list, there are other strategies that you can use as well.  If this is your first time accomplishing this kind of project, there are many Cyber Risk Methodologies (aka “Frameworks”) that you can use to get started to calculate your levels of Cyber Risk.

But keep in mind one thing.  While KPIs and metrics are no doubt important, don’t impose them onto your IT Security Team all the time.  In other words, they are not in a sales job where they have to be constantly reminded of their quotas. 

They are stressed out enough as it is, and don’t by any means need that extra pressure.

Instead, collect your information and data, and use that to compile your report to your Board of Directors.  I am talking from personal experience on this one.  People hate to be judged solely on the basis of KPIs and metrics.  That is no way at all to motivate your IT Security Team, and if anything, it could have its set of negative consequences.