How Should Cybersecurity Leaders Report on Their Progress? – BizTech Magazine

Start with the Big Five

Security metrics reported to the board need to be clear, actionable and impactful. In other words, they must be aligned with business goals and stated in terms that are immediately understandable. Here are five business areas that a CISO should consider when building out metrics-based reporting for a board of directors and other business leaders:

These metrics will demonstrate where and how well the program is working by articulating how much revenue is being protected, how security initiatives improve efficiency and productivity, and where the gaps lie.

Each of these metrics must be based on a clear understanding of the companys goals. To gain this level of awareness, CISOs should work with senior management and business unit heads to learn which systems, data and assets would have the biggest impact if compromised.

The practice of discussing cybersecurity threats and their potential impact can build rapport with various business teams while also providing a broader understanding of the issues and uncovering potential solutions. In addition, when the security team communicates with colleagues who generate revenue, especially the sales and marketing teams, admins gain a deeper understanding of what drives revenue, which can help them better identify sensitive data. This exercise can also give insight into what would happen, in terms of revenue, if that data were to be compromised or made unavailable.

MORE FROM BIZTECH: Learn how innovative tech can help drive business outcomes.

A business impact analysis is a vital tool for revealing high-priority assets, their overall value, and the current amount of protection for each. It can help prioritize incident response for various assets and help the CISO identify how security programs contribute to the companys revenue. Such an analysis can be especially helpful for CISOs who have come up through the technical side of the business and may have a lower comfort level with business issues.

A clear understanding of corporate goals and paths to revenue can clarify how implementing the security strategy will help the organization and its employees in accomplishing their goals. Researching threats the organization will likely face in the coming months can identify where gaps in security lie. The CISO can then discuss the most important threats and describe what it will take to close them.

With these steps, the CISO can move beyond being simply the provider of compliance checks to become a true business enabler. By taking a business-first approach, security can serve as a bridge between the board and the IT and security team. A focus on the most critical measurements understandable, actionable and impactful will lead to clear communication of the current and desired security posture in terms that the audience understands instinctively. What better way to advocate for funding where it is really needed?

View original post here:

How Should Cybersecurity Leaders Report on Their Progress? - BizTech Magazine