Updated Board Metrics Ensure Understanding and Confidence
“Business engagement is the key to successful metrics implementation.”
Metrics are often ignored when they are not tailored to suit the target audience.
The CISO in a global financial organisation had this problem. He needed to improve the security metrics he presented to the board to make them more focused and easier to understand. In addition, he faced requirements from regulators and non-executive directors that board metrics must cover all aspects of information security to demonstrate control of the organisation’s risks.
A senior member of the CISO team, aware of our deep expertise and track record of helping organisations improve their security metrics, recommended us to the CISO and the CRO.
Understanding metrics challenges is hard work. Addressing them is harder still. And there is often more than one right answer to contend with. We begin this type of engagement with an assessment against our Metrics Capability Model.
In this case, it enabled us to define a set of principles to assess the client's existing metrics, providing a sound basis for our recommended improvements. At the end of the engagement, we used our capability model to define the roadmap for future enhancements, such as automation and improved dashboards.
The client wanted to ensure its metrics aligned closely to NIST. As part of our review, we compared them with our own comprehensive, NIST-aligned Metrics Library. This highlighted gaps against the NIST Cyber Security Framework (CSF). Where gaps were found, we provided new metrics from our library, adjusting them to fit the client’s control language.
Business engagement is the key to successful metrics implementation. To achieve this, we led workshops with control owners to get their buy-in and agreement.
Before the metrics were ready to be presented to the board, we reviewed the results they produced over a three-month period.
The Approach
The Problem
The Outcome
Prior to our engagement, the client’s board would receive 12 metrics that were inconsistently presented and not well understood.
As a result of our work, the client had a set of board metrics that were understood and agreed by all stakeholders. This gave the board much greater visibility of all priority security controls via 16 high-level metrics, supported by 60 new metrics providing the detail.
Strong engagement with control owners helped them better understand how they were being measured, as well as the data required to produce the metrics.
We also changed how the information was presented. For example, using percentage values enabled the board and other stakeholders to better appreciate the scope and impact of each metric.
Demonstrable coverage of the metrics against the NIST Cyber Security Framework gave stakeholders confidence that nothing was being hidden. Both the board and their external security-risk stakeholders were happy with the new metrics because they delivered a fundamental shift in their understanding of the organisation’s security risk position.
This outcome was later celebrated internally by the CISO’s metrics team winning a recognition award.