1. Use Metrics That Relate to Business Objectives
Board members and other business leaders are not security experts. Metrics on vulnerability reduction, threats blocked, and attacks mitigated are more meaningful when presented in the overall context of business risk reduction.
"Metrics should be related directly to business objectives," says Chris Morales, head of security analytics at Vectra. "How does operational process impact the company's ability to respond, and how does that relate to selling product in the market?"
Numbers also should reflect simple trends based on objectives. "No one at the board level cares about how much malware you blocked every month," he notes.
Image Source: Shutterstock