Presenting to the Board on the topic of Cyber Security can be a challenging one for CIO’s and CISO’s, and too often end in fraught conversations on whether the reported security posture is serious, anomalous or just business as usual.
If this sounds familiar, you need to ask yourself, ‘am I getting bogged down by reporting operational metrics rather than providing a view on business risk and security posture?’
Am I reporting the right information to the Board?
Too often, CIO’s and CISO’s provide Board presentations with detailed graphs of firewall statistics, spam filter rates, Malware detection rates, and so on. While these are very valuable indicators of operational security, they require context and experience to interpret and understand. Now your Board are likely to be, highly educated, curious people, who when presented with such a report will attempt to contextualise (based on their own experience) and interpret the data for themselves, leading to those tense, downward spiralling conversations.
Do I even need to report security information to the Board?
Yes! - It is important to understand that ASIC expects your Board to be informed of the organisations cybersecurity posture. Specifically you need to assist the Board to answer the following questions posed to directors by ASIC:
- how cyber risks may impact on your director’s duties and annual director report disclosure requirements;
- whether you have appropriate board-level oversight of cyber risks and cyber resilience; and
- has a consideration of cyber risks been incorporated into your governance and risk management practices, and controls and measures for managing those risks?
How do I build a Cybersecurity Board report?
Your Board reports need to present Cybersecurity risks in terms of Business Risk by ‘applying the right lens’ over the security portfolio.
We can clarify our operational security metrics, by applying a management lens and evaluating operations against our Security Strategy, Risk Management Approach and Appetite and compliance with policies and legislation. It is here that we can start to identify and group cyber security risks and present them in terms of risk to the business.
For example, the operational increase in Malware detection may actually be a result of a lack of budget for perimeter security, or insufficient review cycles. At Board level, these are governance and risk management discussions, not a metrics discussion.
The final lens is to summarise this information together into a high-level dashboard which represents the organisations Cyber Security Posture. An example dashboard is shown below.
Ideally, the dashboard should present Red, Amber, Green status to highlight the key areas, so Board members know where to put their focus. Using the same format every report your Board will become comfortable interpreting the report, will ask the right questions (“Do you need more budget?”) and importantly will see the direct correlation between your security program and the success of the business.
MOQdigital has helped many IT Departments to engage better with their Executive and Boards through implementing Dashboards, Reports and Risk Management Frameworks, opening the lines to better communication and understanding.
- Written by: Bruce Irwin, Senior Consultant at MOQdigital