Cybersecurity Metrics to Care About
November 10, 2020 by Becky Metivier
Organizations today are going through an incredible digital transformation – moving to the cloud, embracing the Internet of Things (IoT), implementing automation, etc. – all at a lightning-fast pace. This is opening them up to new and expanding cybersecurity threats that are difficult to manage.
It's widely known there is no guarantee when protecting your organization from a cyberattack. Even with layers of defense in place, cybercriminals can find gaps and take advantage of those weaknesses to get through. It’s not a question of if, but when. That’s why building resilience is essential. Resiliency ensures an incident only causes a minor interruption to business-as-usual – not a major disruption. And it all starts at the top.
Why Cybersecurity is a Top Priority for the Leadership Team
Leadership must set the tone for a culture of cybersecurity. This requires that they take accountability for their own actions, as well as the actions of their workforce. Leaders must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure.
Leaders set policy, approve budget, and provide direction. Setting the tone from the top is essential when it comes to cybersecurity. It cannot be stressed enough that cybersecurity risk management is not an IT issue. It is an organizational imperative.
Cybersecurity Reporting to the Leadership Team
In order for your leadership team to accept responsibility for cybersecurity, they need to not only understand the fundamentals of cybersecurity, but also keep up to date on the status your organization’s program. This can be achieved through regular reporting to the leadership team.
Here are some reports and metrics that will be helpful to inform your leadership team:
- Regulatory Updates. Include industry-specific updates that will engage them personally, as well as the organization.
- Risk Management Program. Provide the number of assessments completed. Include significant findings and remediation efforts, as well as exposures and associated decision-making for remediation.
- Vendor and Third-Party Service Provider Management. Present any contractual considerations for new vendors and any performance-related metrics for service level agreements. Let them know if there are any security concerns coming out of due diligence research, incidents or incident notifications to report, or a concentration of risk that needs be examined.
- IT Budget Considerations. Share the effectiveness of implemented technologies and propose new solutions to address any deficiencies. Present your strategic plan and any staffing needs as well.
- Security Monitoring and Testing Reports. This can include penetration testing and vulnerability assessment report summaries as well as IDS/IPS metrics.
- Incident Management. Report out on any significant incidents and metrics on team response. Provide any testing reports or plan improvement suggestions.
- Training Activities. Provide an overview of annual end-user awareness training, IT/IS-specific training, as well as periodic training reinforcement program(s) that are required.
An engaged and active leadership team can greatly improve the cyber resilience of an organization. Making sure they have all the knowledge they need to make informed decisions when it comes to cybersecurity will pay dividends in the end.