A common challenge for security programs is finding a way to translate the effectiveness of the information security program to the executive c-suite and Board of Directors. Reports need to strike a balance between understandability and accuracy. There are there are two major considerations when deciding on your approach to report metrics to the Board.
First, understand the roles and objectives of the Board and what they are concerned about. As security professionals we get too deep into the technical details of our job, forgetting the business as a whole does not have the same operational objectives and measures as we do. We need to step into the perspective of the Board and understand their view and concerns. The board is concerned with corporate strategy, business outcome, and organizational risks. The board is not concerned with technical details of patching, data backups, or bandwidth capacity. Even though those technical details do indirectly impact the business’s overall objective. They want to know if potential shortcoming or failures of the security program will inhibit the organization’s ability to meet business goals, or expose them to more risk, such as reputational damage, litigation fees, or loss of business availability.
Every organization’s board of directors will vary. Therefore, it is important to do some research, gain an understanding of the audience. What kind of audience are you presenting to? Are they from technical, financial, or other backgrounds? This information will help you in wordsmithing your reports to ensure it is tailored to the audience.
The last major consideration is presentation of your report. The goal is the communicate your information in a clear and concise manner. Avoid highly technical graphs and charts that look “flashy” but takes extensive dialogue for the audience to understand. Limit your presentation to simple charts, single digit numbers, and plain colors. Avoid heavy texts when possible. But when absolutely necessary, use language familiar to the board by avoiding technical terms and “jargon”. For example. “% endpoints with data loss prevention (DLP) solution implemented” sounds common to the security professional, but this phrase will leave a typical Board member in the dark. Try using instead, “The % of the IT network with the ability to detect and block leakage of sensitive data”.
Final thoughts: Remember that it is important to be transparent with your organization’s leadership. Present them with data that shows both the good and the bad of your information security program. Surprisingly, the metrics and reports that show poor performance in your program can be more meaningful and beneficial for the maturity of your program. The “at-risk” or poor performing areas will shed light on a potential lack of resources (money, technical skills, staff, time), or lack of executive support. Regardless, the executive board will provide you the support needed since the business will be at risk. And if in case there is a security incident, you can point to the reports that indicated to the board of poor performance and lack of the appropriate resources to fix it beforehand. The continued enhancement of your security program as reflected in your metrics and reports over time will keep the Board engaged and committed to an effective cyber security program.