Cybersecurity is critical. Everyone knows that. Justifying to the board of directors the amount of money needed to sustain cybersecurity? That's not as straightforward, and that's why IT security managers must continually find ways to explain the value a comprehensive cybersecurity strategy brings to the overall business.
The goal should be to illuminate -- without getting too technical -- those cybersecurity operational metrics and measures that paint a picture of the current threat landscape. Let's look at some of the most important cybersecurity metrics for the board.
Detected intrusion attempts. Graphing intrusion attempts over time may not be the most important statistic from an IT security standpoint. But it does give the board a picture of the overall number of threats the business faces at any given time. The trouble with IT security is that, when prevention mechanisms work and few incidents occur, business leaders tend to assume they're no longer a target. Sharing statistics that prove otherwise is a good way to prove that cybersecurity threats continue to exist and are growing all the time.
Incident rates, severity levels, response times and time to remediation. Board members are likely to be interested in cybersecurity improvements over time. After all, they are allocating money to improve security, so the numbers should indicate that their money is being used wisely. Collecting and plotting incidents, their severity levels, response times and time to remediation over specific periods is a great way to show that the tools and staff in place are making a positive impact toward protecting the intellectual property of the organization.
Vulnerability patch response times. Even nontechnical board members understand that business-critical software must be quickly patched when vulnerabilities are discovered. Demonstrating data that illustrates how quickly applications, OSes and tools are patched following patch release dates shows the board you're on top of the latest security vulnerabilities.
Number of users broken out by application/data access levels. Board members may still be under the false assumption that most cybersecurity threats come from outside the organization. Sharing cybersecurity metrics for the board can be a great way to inform business leaders that insider threats are a far greater issue. To help get that point across, use data -- including internal data loss metrics, onboarding and offboarding numbers, and employee application access tracking -- that illustrates data loss and theft are far more likely to come from employees. It also helps board members to understand the need for modern preventative measures, such as the implementation of a zero-trust framework.
Overall volume of data the business generates. While not necessarily a security metric, explaining how much data is generated and sent through the corporate network can be of great value when budget season comes around. Changes in traffic volumes, whether gradual or abrupt, can help justify the need for new or upgraded security tools. This metric will help drive home -- and correctly so -- the notion that, as network usage increases, so should the amount of money allocated to protect that growth.
Peer pressure. One of the best ways to showcase your cybersecurity efforts is to demonstrate how you stack up against your peers in the industry. Board members are often focused on their competition; thus, it makes sense they would be interested to see how they compare against others within the same market vertical. Fortunately, many cloud-based security analytics tools provide the ability to take anonymized security metrics of your business and compare them to others in the same industry. In a sense, this is a "metric of comparing metrics" -- and it's one of those instances where the board's natural competitiveness will generate interest in how IT is performing from a cybersecurity perspective.
Beware pre-packaged, "executive" reports. Many cybersecurity vendors enable customers to generate executive reports they can pass on to business leaders. These reports often come off as too granular and technical. Ultimately, the reports go unread, and the underlying value IT security teams offer to board members goes unnoticed. While canned reports are a tremendous timesaver, they should not simply be generated and emailed to upper management. Instead, more thought needs to be put into what information your board is likely to want to see. Providing the most important cybersecurity metrics for the board should never be thought of as a one-size-fits-all endeavor.