February 15, 2024 at 08:29AM
Due to increased SEC regulations, companies are under pressure to enhance transparency and speed up breach disclosure in cybersecurity reporting. Boards are demanding more rigorous tracking of KPIs and KRIs, operational metrics, and asset and security performance indicators. The book, “The Cyber Savvy Boardroom,” co-authored by Homaira Akbari and Shamla Naidoo, focuses on these crucial metrics for CISOs to report to the board. It covers metrics related to data, financial assets, people, suppliers, infrastructure, user-controlled devices, IoT, enterprise applications, testing security posture, and incident detection and response. The authors emphasize the importance of summarizing these metrics into assessments and dashboards for the board’s evaluation and decision-making.
Based on the meeting notes, the key takeaways for CISOs and boards of directors regarding cybersecurity metrics and reporting are as follows:
1. Increased Transparency and Speedy Breach Disclosure: The US Securities and Exchange Commission requires CISOs and boards of directors to enhance transparency around organizations’ cybersecurity capabilities and accelerate breach disclosure to investors.
2. Focus on Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs): Boards of directors are pushing for more rigorous tracking of KPIs and KRIs, particularly emphasizing security operational metrics that measure the scope of assets, cybersecurity activities, and security outcomes.
3. Importance of Metrics Reporting: Security teams use operational metrics to track and report on cybersecurity activities and outcomes to illuminate cybersecurity capabilities, efficiency of controls, and evaluate technology and talent investments.
4. Book by Homaira Akbari and Shamla Naidoo: The primer authored by Akbari and Naidoo emphasizes the crucial role of metrics in reporting risk levels and security performance, highlighting the need to summarize assessments in cybersecurity dashboards that are easy to digest.
5. Categories of Metrics to Track: The meeting notes outline various categories of metrics that CISOs should track and report to the board, including data, financial assets, people, suppliers, infrastructure, user-controlled devices, new technologies (IoT), enterprise applications, testing security posture, and incident detection and response.
Overall, the focus is on the need for robust cybersecurity metrics and reporting to provide the board with a clear understanding of the organization’s security posture and to make informed decisions regarding cybersecurity investments and risk management.