These conversations, summarized below, demonstrate that board members are paying close attention to their organizations' security programs — their approach and effectiveness and the impact on risk posture. Additionally, board members' influence on the direction of a company's security program has grown.
As a result, IT leaders must report regularly that security technology, people, and processes are optimized to protect and defend the organization so that when a breach or attack does take place, it will have minimal impact on the brand and bottom line. Further below, I offer tips for how best to measure, prove, and report security performance metrics to the board and business leadership.
"Cybersecurity is undeniably a board priority. To do their jobs, boards need to understand variables like risk posture, relevant threats, and effectiveness of security controls. They also need to know what the right responses should be while understanding that cybersecurity is constantly changing. It's critical to have timely measures for how well your cybersecurity controls are working and how well they respond to the latest threats."
—Julie Cullivan, board member at multiple healthcare, technology, and cybersecurity companies and former executive at Forescout, FireEye, McAfee, and others
"While all board members don't need to be cybersecurity experts, they do need to be able to interpret risk metrics regarding cybersecurity, just like they do when understanding sales, operations, and finance. Only when there is an understanding of the risks can boards provide the most appropriate oversight and governance. The cybersecurity leaders that are most successful at their jobs and at interacting with the board are highly technical. But they are also true corporate executives. They must have or develop business skills."
—Art Coviello, former RSA president & CEO, and board member at a financial services company and multiple technology companies
"Boards and the C-suite are recognizing that 'software with a service' is the future of cybersecurity. Technology-led platforms augmented by security and operations experts are delivering value via productized services. This may be utilizing software with a service through a combination of red teaming, security validation, event analytics, and threat intelligence where I need to continuously know the state of my controls from multiple real-time and forensic angles, where my gaps are, and how to fix them when validated against the most timely and relevant threat intelligence."
—Jay Leek, managing partner and co-founder of ClearSky Security, board member for multiple technology and cybersecurity companies, and former Blackstone CISO
"Virtually every brand is built around some level of trust. As such, board members need to ask questions about how cybersecurity is being leveraged to protect the brand's value proposition at a point in time and measured over time. Cybersecurity for your multicloud environment must be a board-level conversation now. If you wait two more years to start having this conversation, you'll be too late to the party and you'll be less competitive."
—Kara Nortman, managing partner at Upfront Ventures and board member with several technology and cybersecurity companies
"When I see boards, executives, auditors, and security teams successfully achieving good governance hygiene, part of that success is usually a result of cybersecurity leaders being educated in the fundamentals of business risk management. For some businesses, cybersecurity has become essential to the company's strategy and value proposition. In these instances, boards are very diligent in understanding the effectiveness of security controls, processes, and people at a point in time and trended over time."
—Matt Bigge, partner at Crosslink Capital and board member with multiple technology and cybersecurity companies
Three Steps for Reporting to Executives
CISOs and IT leaders need to report, in quantifiable business terms, the value the organization's security program delivers based on continuous testing, optimization, and proof of effectiveness. Below I've outlined three steps CISOs should take to accomplish this and report in terms that the board and C-suite understand.
1. Let Intelligence Lead the Way
Intelligence about the organization's most relevant threats and the tactics used gives guidance into what controls are needed. When evaluating threat-intel vendors, the key areas to focus on include:
- Will you receive a combination of types of intelligence, including machine intel, managed services, and adversary intel?
- Does the vendor integrate threat intel feeds into your current IT environment?
- Do you feel confident in the expertise of the team, the comprehensiveness of the data, and the ability for automation and personalization of data?
2. Validate With Proof of Effectiveness
The value of security validation is becoming more understood, yet security leaders are often unsure of how best to implement and perform validation for meaningful results. The five key components of an impactful security validation program include:
- Prioritize what to test based on threat intel.
- Test and measure performance of security controls.
- Optimize controls based on performance testing.
- Rationalize the program to fill gaps and eliminate duplication of controls.
- Continuously monitor the environment; keep the process going so that changes in IT are accounted for in ongoing testing and measurement.
3. Report With Confidence
- Based on the five-step validation process, you can share quantitative proof that the security program is working and protecting the company's risk posture.
- You also have peace of mind that any performance fluctuations will be flagged and remedied automatically.
- Reporting in business terms gives key stakeholders assurance they need to communicate a strong security posture to their constituents.
These steps can help CISOs streamline operations and concentrate resources where they will have the greatest likelihood of success, while identifying areas where more spending may be needed or costs can be cut without impacting risk. Ultimately, security leaders can assure the C-suite and the board, with quantifiable evidence, that the company's cyber hygiene is strong and its market position protected.