Cyberattacks have become a serious risk to organizations that no responsible board member can ignore. In fact, a 2021 survey of risk decision makers ranked cyberattacks as the number one threat to companies, beating out the pandemic, supply chain disruptions and economic recession. An overwhelming majority of board directors recognize the business impact of cybersecurity, yet a disconnect persists between many boards and their security teams.
The Gap Between Business and Security
When asked whether cybersecurity is integrated into their business risk-management strategies, nearly all (92%) business executives answered affirmatively, while only 55% of security leaders agreed. This divergence in how cybersecurity is understood and prioritized suggests a communication deficiency.
General lack of communication is part of the problem, with 41% of executives and board directors reporting that they only received cybersecurity updates after an incident occurred. Another contributing factor is a failure of many security leaders to talk about cybersecurity in language the board understands: money.
Speaking the Same Language
Describing an organization’s security posture in financial terms draws a clear line between business and security objectives. Security leaders should emphasize returns on security investments, while avoiding technical jargon or digging into day-to-day operational minutiae. Translating cyber risk into business impact is essential, and reporting the right metrics makes that much easier.
Metrics That Matter to the Board
Board members focus on high-level objectives: maintaining the company’s reputation, staying profitable and minimizing operational downtime. The metrics you discuss should align with these goals. Here are some examples:
- Revenue-driving metrics: Unfortunately, cybersecurity is often regarded as a cost center. Tracking metrics that support the company’s bottom line, such as the number of completed sales security questionnaires or the value of contracts that include security and compliance obligations, can help shift that narrative.
- Security cost to value ratios: Calculate the financial value provided by IT assets against the cost of securing them. Providing these metrics requires a strong understanding of your organization’s IT infrastructure and risk profile, but this is language the board is certain to understand.
- Incident response metrics: Reporting metrics like the average time between detection and remediation for critical security incidents help quantify your organization’s ability to thwart or mitigate a devastating breach.
- System recovery testing: Track how many business-critical systems have undergone full recovery testing in the past year, and how many met their target RTOs, to provide insight into the real-world impact of a systems outage event, such as a ransomware attack.
When presenting metrics, start with basic, high-level concepts. Then incrementally add detail as board members become familiar with the material, allowing them to develop a deeper understanding of your cybersecurity program.
Need help identifying useful metrics, understanding your risk profile or evaluating your defense posture? MBL Technologies provides comprehensive cybersecurity services to ensure your security investments lead to tangible business outcomes.
