4 Metrics That Help CISOs Become Strategic Partners With the Board

Being a chief information security officer (CISO) is hard. The job comes with endless worries, daily threats, and growing expectations. Many CISOs experience burnout, and most find it difficult to be recognized as strategic, growth-oriented partners to their leadership team and board of directors. 

Challenges CISOs Face When Reporting to the Board

It can be hard for CISOs to prove their department's impact to organizational leadership and board members when executives don't have the expertise or context to fully understand information security.

In the quarterly board meeting, you must quickly present information that resonates and makes sense to leaders with varying expertise. Information about risk and business impact must be presented in a straightforward manner. Budget requests need to be explained in relation to business growth or impact. A relationship of trust has to be built with the board.

How does a CISO do all of that? 

4 Key Metrics for CISOs to Share in Board Presentations

A well-structured board presentation should start with a summary. Lay out how the information security program is protecting the company and helping it meet compliance commitments, and present the status of critical workstreams.

After the summary, framing your work as a CISO using the following four metrics allows you to share your strategy and accomplishments in a manner that aligns with the most critical parts of every business: risk, growth, expenses, and people.

Risk and Liability Protection

Create alignment with the board on the top risks that must be mitigated to protect the company and board from liability and increase the chance of achieving critical business objectives.

During this exercise, it is imperative that the board signs off on the minimum risk threshold for each risk. Some examples of board-level information security risks include customer data breaches; noncompliance with regulatory laws; nonadherence to security, privacy, and cybersecurity insurance policy contractual commitments; and vendor and supply chain risk.

Your quarterly CISO board report must describe each identified risk in detail:

InfoSec ROI and Improvements

Security budgets are under pressure. Legacy solutions do not deliver business value and protection in line with the cost of the investments. More people are needed to manage old tools and processes. Adopting modern solutions that reduce the cost burden of information security workflows can validate how investments in the security program create a larger impact over time. 

An effective way to showcase return on investment (ROI) improvement is to pick the top five investment areas and highlight the business impact improvements over time for each investment area. For example, investments may enable monitoring a larger IT asset base, discovering more attacks, or completing more compliance audits. 

Revenue Acceleration

Most companies need to continually improve their security posture to meet an expanding list of contractual requirements as they grow their customer and partner bases, expand into new markets and geographies, and build new products. 

CISOs who position themselves as growth-oriented business partners track:

Enterprisewide Security and Privacy Engagement

The proliferation of cybersecurity risk requires strategies that turn security into a team sport. Every employee needs to be trained and enabled to do their part to help keep the company secure. 

CISOs can be enablers of a strong security culture by presenting metrics about employee compliance to requirements, such as completing security awareness training and adhering to IT asset security, control, and compliance. Use examples showcasing quarter-over-quarter improvement.

Trust Is the Foundation

The last part of your presentation should detail critical workstreams in the current quarter, and the objectives and key performance indicators for each workstream.

Trust is the foundation of every business relationship, and this is especially true with board-CISO relationships. The way for CISOs to be strategic with their board is to showcase a consistent, transparent, and verifiable measure of confidence on how the InfoSec program protects the business from risk and liability, helps accelerate revenue and growth, and reduces costs while increasing productivity. This helps creates support and appreciation for how the CISO is driving the business forward.