Many security leaders struggle to report cybersecurity metrics to the board due to the absence of a universal standard.
This lack of standardization can leave new or inexperienced leaders struggling to effectively communicate critical security issues in a way that resonates with board members. As a result, they fall into the trap of presenting overly technical or insignificant metrics—data points that fail to capture the actual risks or priorities of the organization.
To help address these challenges in cybersecurity reporting metrics, we’ve compiled a list of commonly reported metrics in the banking and credit union sectors that should be avoided, along with alternative solutions to improve communication and focus. These recommendations can also help craft a more effective cybersecurity board report template.
This is one of the most common figures in cybersecurity board report templates. The number is touted by the anti-spam filtering tool, so it’s easy to find, and it looks cool. The only reason the number looks cool is that it’s typically very large, with the massive amount of spam being sent constantly. The spam filter should be fine-tuned, if possible, to block the highest number of spam emails without introducing an unacceptable level of false positives. Reporting on the huge number of spam messages blocked might trick a Board member into thinking user training is less important because 99% of spam messages are being blocked.
Unfortunately, the real concern is the spam emails that are crafty enough to get by the filtering algorithm, and therefore more likely to get by a human’s mental filter. What is more important than a number of messages blocked is what’s getting through. What is most important is how employees respond when they see a spam email that made it past the filter. Can they identify it and report it, or do they click links?
Here is what to report instead: Report on employee cybersecurity awareness training results. Let the Board know how successful your training program is, by demonstrating a decrease in happy-clickers over time.
Unfortunately, the most common method of measuring Cybersecurity risk is qualitative using some flavor of ordinal scale. Even the most well-known risk assessment guide, NIST 800-30, prescribes a qualitative approach to measuring risk.
Here is the problem: Many organizations use ordinal scales to measure cybersecurity metrics. We are still in the wild west of information security decision making and to make matters worse, we’re not getting value out of our risk assessment efforts. We just know we need to do it because the CAT/ACET and our examiners tell us it needs to be done.
An ordinal scale is something that denotes an order. For example, Medium is higher than Low, and High is higher than Medium. Two is more than one, Neutral is better than Bad. There are scenarios where ordinal scales work very well.
For example: Restaurant rating reviews. We all have a pretty good understanding of what it means for a restaurant to have a 5-star rating (or a one-star rating...yikes!). We also understand what it means when it is rated as $ versus $$$.
Let’s say you’re shopping for a home, and the lender tells you your payments are going to be $$$$. What the heck does that really mean? Is that $1,000 a month or is that $4,000 per month?
It is the same concept with cybersecurity risk. We as security people have been telling executives for years that we have high risks, or that we have a 5-risk level, and we need to spend thousands of dollars to mitigate the risk. But what does that actually mean?
Here is what to report instead: Adopt a quantitative approach. Financial institutions can benefit from using methods like Monte Carlo Analysis or financial ranges to present cybersecurity reporting metrics more effectively.
More people, applications, and tools are often considered a measure of success, but more is not always better. Adding to the list of resources doesn’t necessarily mean better security. Telling the Board that another security appliance was plugged in to demonstrate security doesn’t necessarily help.
Here is what to report instead: Highlight what risks were mitigated and what gaps in your cybersecurity KPI framework were addressed, regardless of whether this was achieved with new or existing tools.
When reporting vulnerabilities, their prioritization needs to consider what the real risk to the organization is. When you run a scan, the scanning tool doesn’t know where it is in relation to the asset being scanned. The tool has to use generic ratings that can be used as a starting point.
For example: We see a lot of SSL issues reported as Medium-rated vulnerabilities. If we see these findings in an external network scan, most of them are definitely medium. However, if we see SSL vulnerabilities show up in an internal network scan, many of them should realistically have a low rating.
Also, consider the likelihood of the vulnerabilities being exploited. Again, the scanner knows very little about the assets being scanned. In many cases, a vulnerability will be present on a system that is unlikely to be exploited.
Side note: this is a standard part of our vulnerability assessments. Hopefully, your security vendor also does this.
Here is what to report instead: The Board would be better off seeing adjusted vulnerability ratings rather than the raw results spit out by the vulnerability scanning tool. This helps the board focus on cybersecurity metrics that matter.
On a daily basis, there are likely to be thousands of threats hitting your perimeter firewall from all over the world. Some organizations like to report the number because, much like spam messages being blocked, it looks cool. However, telling the Board about relatively normal network activity doesn’t provide any value. Rather, it might give the Board a false sense of security.
Here is what to report instead: Results of firewall testing and blocked attacks that made it inside the firewall. This approach aligns with best practices for an ideal cybersecurity board report.
Certainly patching vulnerabilities is important, but the number of vulnerabilities patched, by itself, doesn’t provide any actionable information without additional context. Some people might report that they’ve patched 200 vulnerabilities in the last month or quarter, which sounds great on the surface, but there might still be 200 critical vulnerabilities that still need patching.
The number of vulnerabilities patched, outside the context of the IT risk assessment, does not provide information about the importance of the assets being patched, or the number of assets.
Here is what to report instead: Present the ratio of critical and high vulnerabilities patched, along with historical trends. This context ensures board members can evaluate the organization’s progress in managing risks and adhering to cybersecurity KPIs.
If you are responsible for cybersecurity compliance at a financial institution, or at least are involved in it, you know that several key controls in the FFIEC CAT and NCUA ACET require organizations to report cybersecurity to the Board of Directors. The BoD is ultimately responsible for overseeing cybersecurity.
To help you with this effort, we developed a comprehensive template to help you report the most useful cybersecurity information to your Board. Check it out below!
1 min read
Randy Lindberg : 21 Feb 2023
What is the best way to improve your relationship with executives and the Board?The quickest and easiest way to improve your relationship with...
Randy Lindberg : 10 Feb 2023
Reporting cybersecurity to executives and the Board of Directors. Feared by many cybersecurity pros, but necessary to life as we know it.
Randy Lindberg : 10 Mar 2021
According to recent security statistics, cybercrime is more diverse and prevalent today than ever before. A digitized business world means more...
.png?width=755&height=205&name=Rivial%20Logo%202020%20(72dpi).png "Rivial Logo 2020 (72dpi)")
Randy Lindberg