Cybersecurity insights from industry experts.

Communicating with Impact: Tips for Discussing Cybersecurity Metrics with Boards

Metrics have a place when it comes to reporting on organizational security and risk management, but effectively communicating their relevance to the board in the context of the overall security story is more important than simply reporting on the raw numbers.

4 Min Read
People sitting around a conference table in a meeting with laptops showing charts.
Source: Ronald Carreño via Pixabay

How should Chief Information Security Officers (CISOs) evaluate and report on the state of their organization’s cybersecurity and its impact on the business? How should they determine which metrics to reference so that they resonate and are informative for the board? 

CISOs often have to deal with a dilemma of how to effectively and impactfully communicate metrics to the board, balancing the desire to be comprehensive and clear about the impact and delivering the message in a limited time. 

Identifying Areas of Focus

Before something can be measured, it’s important to gauge what it is being measured against and why. The board in its oversight role needs to determine, in partnership with the business, the level of cybersecurity risk they are willing to accept in pursuit of achieving their business objectives. By extension, the CISO’s role, in partnership with other leaders in the organization, is to keep the board informed on whether the organization’s cybersecurity risk profile is within that defined appetite by monitoring and reporting on a set of relevant indicators. 

Importantly, cybersecurity metrics, often consisting of key performance indicators (KPIs) and key risk indicators (KRIs), are not “one-size-fits-all,” and defining those that are most relevant for the organization is an exercise informed by the organization’s business mix, the current and evolving threat landscape, and the effectiveness of the organization’s control environment.  

To determine which metrics to focus on, consider including those that provide the board with insight into risk management in the following five areas, as further discussed in Perspectives on Security for the Board

  • What are the current threats to your organization?

  • What is the significance if one or more of those threats impact your organization?

  • What is cybersecurity leadership doing to mitigate those threats?

  • How is the CISO testing to determine whether these mitigations are working?

  • What are the risks that aren’t mitigated, but which the organization is willing to accept?

Having identified a key set of metrics that are aligned to informing responses to the risk management questions above, it’s crucial to monitor them over time for trend analysis and to provide the board with regular updates. Effective CISOs know that the answer to many of the board’s questions regarding the organization’s cybersecurity posture, operational resilience, and comparison relative to its peers, will be nuanced and typically can’t be addressed by pointing to a specific metric. Rather, a good response typically begins with some contextualization and a few examples of significant data points. 

Cybersecurity-related KPIs and KRIs should be presented in a manner that ties them into the overall business risk. For impactful messaging that resonates with the board, CISOs should articulate how these metrics relate to critical business services and assets, while also indicating how those metrics are relevant in the context of emerging cybersecurity risks and the changing regulatory landscape. 

The metrics should likewise inform the board's understanding of whether the business is operating within its risk appetite and how the organization’s cyber maturity compares to its peers. Using consistent templates to track key indicators enables trend analysis and monitoring for control efficacy. Consider how to structure the information into a single pane view that sets out the risks, relevant controls, and the effectiveness of those controls as indicated through the organization’s continuous monitoring efforts. Doing so not only enables a normalized frame of reference, but also helps track progress toward identified goals. 

Metrics Are Just One Part of the Puzzle

The board is interested in a thematic overview of relevant trends, and only those qualitative and quantitative cybersecurity metrics that provide insight into the “big picture” view of the organization, threat landscape, regulatory environment, and other significant indicators. 

Clearly articulating the material risks for the board’s awareness, as well as any action or approvals that are being sought, will go a long way in supporting a fruitful discussion. In addition, consider ways to address certain key questions regarding the overall governance, operating model, impact to the organization’s risk profile and appetite, and regulatory compliance posture that are top of mind for boards. Proactively providing insights in these areas enables transparency and builds trust, both of which are critical components to supporting the board in being informed, engaged, and involved. 

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author(s)

Alicja Cade

Director, Office of the CISO, Financial Services, Google Cloud

Alicja Cade, Director, Office of the Chief Information Security Officer (OCISO), Google Cloud, is responsible for shaping cloud security and compliance approaches for financial sector institutions and partnering with GCP clients throughout their security transformation.

Prior to Google Cloud, Alicja was CISO Americas and Global Head of Data Confidentiality Operations at UBS and was CISO for Investment Banking, Group Functions and Americas at

Credit Suisse. Earlier in her career Alicja worked at PricewaterhouseCoopers in the UK and US in the IT and Cyber Risk Practice, where she helped to lead the way for the growth of the financial services business.

Alicja has previously served as the Chair of the Institute of International Bankers (IIB) Information Security and Operational Resilience Committee and i s a member of Cloud Security Alliance (CSA) Financial Services Leadership Council and CxO Trust Advisory Council.

Marina Kaganovich

AMERS Financial Services Executive Trust Lead, Google Cloud Office of the CISO

Marina supports Google Cloud’s financial services customers in the Americas on Trust topics throughout their cloud journey, focusing on regulatory compliance, risk management, governance and oversight, cybersecurity and privacy.

Prior to joining Google, Marina held Legal and Compliance roles on Wall Street, overseeing the broker dealer compliance program at Thomson Reuters (now Refinitiv), leading US Compliance for the Technology, Human Capital Management and Corporate Services divisions at Goldman Sachs, and most recently, running the Digital Compliance team at BNP Paribas where she specialized in advising on emerging technologies including AI/ML and digital assets, and oversaw programs related to cybersecurity, data privacy, and cloud digital transformation initiatives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights