A session at RSA Conference 2015 discussed how chief information security officers (CISOs) report to the board,...
specifically looking at what types of information and metrics are presented. A study found that most CISOs focus their reporting on vulnerability management, while incident response plans, compliance audits and specific security projects receive less time and priority; in addition, 12% of CISOs include no metrics at all in their security reports. What advice do you have for making CISO reporting more balanced and actionable? How much of a role should security metrics play in the reporting?
If you were to survey CEOs of the top Fortune 1000 companies and ask them what keeps them up at night, the answer will not be cybersecurity. Their primary driver is to maximize shareholder wealth. The board of directors governs the organization by establishing broad policies and objectives, approves annual budgets, sets compensation packages for company management and focuses on the viability and profitability of the enterprise. Understanding the executive mindset will help you determine what's necessary to include in security reports.
The makeup of a typical board of directors, in addition to the CEO and selected company executives, includes ex-CEOs, pundits in their particular industry and ex-Big 4 partners. The CISO should know who specifically sits on the board. Depending on who they are, their background and interests, the CISO can tailor security reports to provide expert guidance and ensure they understand what risks exists for the company.
Security metrics are critical to collect if for no other reason than to identify the attack vectors targeted at the company. But to report on the minutiae of types of attacks does not provide what the board needs to know in deciding on matters related to the information security program.
A passive board of directors just wants to know if everything is under control and if there are any security matters that should be brought to their attention. They want to know if they are in jeopardy of not being in compliance with privacy, disclosure, data retention or information protection laws and regulations. An active board will approve a charter for the information security program. They will annually approve the information security policy and empower the CISO to deploy the proper level of security necessary to protect corporate assets.
The focus of security reports should be on current risks, compliance, incident response, attack vector experience and evolving risks that the company needs to prepare for. Security reporting should be relevant, comprehensive, flexible and easy to understand.
The information security program should be based on a well-established and industry accepted framework. There are many but one example is the ISO 27002, which is made of ten domains. An information security assessment should be conducted to provide a security report for each domain. The CISO can briefly explain the framework and how each of the domains is calculated but it will be more effective to only show the board a visual representation of the report, such as a pie chart or bar chart. Be on the agenda for every board meeting and show each pie chart from the initial report alongside subsequent reports for a more powerful visual. The board will be able to see the progression in a simplified way. The remaining time allotted for the CISOs report should be used to describe the existing efforts and remediations to progress even more.
Boards are becoming more security-aware. They read the news and wonder if their company will be the next casualty. They look for what they can learn from others to prevent the same from happening to their company. CISOs should ensure their security reports demonstrate that they will not be the next casualty.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Get some advice on how to succeed at leadership as a CISO
Dig Deeper on Information security program management
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading