4 Metrics That Help CISOs Become Strategic Partners With the Board

To demonstrate the CISO role's value, frame your work using metrics that align with the most critical parts of every business: risk, growth, expenses, and people.

Sravish Sridhar, CEO & Founder, TrustCloud

December 7, 2023

4 Min Read
The abbreviation "CISO" on a digital background
Source: Borka Kiss via Alamy Stock Photo

Being a chief information security officer (CISO) is hard. The job comes with endless worries, daily threats, and growing expectations. Many CISOs experience burnout, and most find it difficult to be recognized as strategic, growth-oriented partners to their leadership team and board of directors. 

Challenges CISOs Face When Reporting to the Board

It can be hard for CISOs to prove their department's impact to organizational leadership and board members when executives don't have the expertise or context to fully understand information security.

In the quarterly board meeting, you must quickly present information that resonates and makes sense to leaders with varying expertise. Information about risk and business impact must be presented in a straightforward manner. Budget requests need to be explained in relation to business growth or impact. A relationship of trust has to be built with the board.

How does a CISO do all of that? 

4 Key Metrics for CISOs to Share in Board Presentations

A well-structured board presentation should start with a summary. Lay out how the information security program is protecting the company and helping it meet compliance commitments, and present the status of critical workstreams.

After the summary, framing your work as a CISO using the following four metrics allows you to share your strategy and accomplishments in a manner that aligns with the most critical parts of every business: risk, growth, expenses, and people.

Risk and Liability Protection

Create alignment with the board on the top risks that must be mitigated to protect the company and board from liability and increase the chance of achieving critical business objectives.

During this exercise, it is imperative that the board signs off on the minimum risk threshold for each risk. Some examples of board-level information security risks include customer data breaches; noncompliance with regulatory laws; nonadherence to security, privacy, and cybersecurity insurance policy contractual commitments; and vendor and supply chain risk.

Your quarterly CISO board report must describe each identified risk in detail:

  • Objective: What business objective does this risk align with?

  • Short description: Describe the risk in approachable language.

  • Quantitative residual risk and financial impact score: Use quantitative risk verification techniques to measure the residual risk score for each risk, highlighting whether the likelihood of each risk's potential impact is below acceptable risk thresholds. Don't use qualitative methods, which be harder for the board to interpret.

  • Action plan and timeline: How will you further reduce each risk, and by when?

  • Budget allocation and asks: What budget is allocated to each risk, and can a new budget allocation reduce the exposure to the risk?

  • Trends and benchmarks: How has the residual risk score of each risk changed over time? Describe how your risk posture compares to companies of your size and in your market by accessing industry benchmarks from analysts.

InfoSec ROI and Improvements

Security budgets are under pressure. Legacy solutions do not deliver business value and protection in line with the cost of the investments. More people are needed to manage old tools and processes. Adopting modern solutions that reduce the cost burden of information security workflows can validate how investments in the security program create a larger impact over time. 

An effective way to showcase return on investment (ROI) improvement is to pick the top five investment areas and highlight the business impact improvements over time for each investment area. For example, investments may enable monitoring a larger IT asset base, discovering more attacks, or completing more compliance audits. 

Revenue Acceleration

Most companies need to continually improve their security posture to meet an expanding list of contractual requirements as they grow their customer and partner bases, expand into new markets and geographies, and build new products. 

CISOs who position themselves as growth-oriented business partners track:

  • Revenue supported by the InfoSec team per quarter by completing security questionnaires and reviews.

  • Customer service level agreement (SLA) trends to show reductions in the time spent to complete customer security reviews.

  • Vendor SLA trends to show reductions in the time spent to complete vendor security reviews.

  • Productivity gains from automation compared to manual processes, showing that the information security program is doing more with less. 

Enterprisewide Security and Privacy Engagement

The proliferation of cybersecurity risk requires strategies that turn security into a team sport. Every employee needs to be trained and enabled to do their part to help keep the company secure. 

CISOs can be enablers of a strong security culture by presenting metrics about employee compliance to requirements, such as completing security awareness training and adhering to IT asset security, control, and compliance. Use examples showcasing quarter-over-quarter improvement.

Trust Is the Foundation

The last part of your presentation should detail critical workstreams in the current quarter, and the objectives and key performance indicators for each workstream.

Trust is the foundation of every business relationship, and this is especially true with board-CISO relationships. The way for CISOs to be strategic with their board is to showcase a consistent, transparent, and verifiable measure of confidence on how the InfoSec program protects the business from risk and liability, helps accelerate revenue and growth, and reduces costs while increasing productivity. This helps creates support and appreciation for how the CISO is driving the business forward.

About the Author(s)

Sravish Sridhar

CEO & Founder, TrustCloud

Sravish Sridhar is founder and CEO at TrustCloud, enabling businesses to build trust with instant compliance verification. Sravish is a successful three-time startup founder with an entrepreneurial passion to build and support companies that bring meaningful innovation and change to society. Four career accomplishments bring him the most joy: graduating debt-free from the University of Texas at Austin after putting himself through college; building a piece of software that was used by 3.5 million users; investors, customers, and people from each startup he's founded have chosen to support him in subsequent startups; and each startup he launched returned capital to investors and employees, and the software still runs in production today.  

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights