What Do You Need to Tell the Board? Business Metrics that CISOs Should Share – Second in a Four-Part Series

If you are in the role, you know that part of a CISO’s role is to share key data with their Boards and/or seniors executives who help determine how tightly the purse strings should be drawn. In our December 20^th post, the first in this four-part series, we separated these many elements into 10 Key Categories:

1. Expanding Digital Footprints Increase Vulnerability
2. Data and Data Lake Segmentation
3. People, Phishing and Policies
4. Stakeholder Security, including digital supply chain security and third-party risk management
5. Incident Detection and Response + Testing Protocols and Practices
6. Infrastructure – State of Current Architecture and Equipment +Future Needs Assessment
7. New Technologies, including Enterprise -Wide and Department-Level Applications as well as use of IoT, ML and AI
8. Investment Levels and Efficacy + Regulatory Compliance and Insurance Coverage
9. Vendors and Portfolio Management
10. Financial Asset Risks + ROI and Losses

In the first installment, we covered Points 1 and 2. Today the focus is on some of the security-related elements.

Despite the many – far too many, and all too frequent – headlines about successful data breaches in which individuals’ private data, and corporations’ proprietary data, is released on the dark web and elsewhere, it is estimated that less than 40% of North American Senior executives and non-tech-related roles truly understand cybersecurity. As a result, digital transformation is often stalled. For small businesses, it also means that insufficient resources will be dedicated to providing a robust enough security posture that will enable it to withstand basic cyberattacks.

As you prepare to deliveries to reports, it can help to remind the purse strings holders that every dollar spent recovering from a cyberbreach, is one less dollar that can be spent on initiatives that will help the company grow. Getting senior management and/or board members to view cybersecurity as a way to engender consumer trust and the loyalty, rather than as a cost centre, can help with strategic investment in network-related conditions, including security solutions.

People, Phishing and Policies

It’s not news, probably not even surprising anymore, to say that stakeholders represent an organisation’s biggest vulnerability when it comes to cybersecurity.

Whether it’s a result of poor training, inattentiveness that allows someone to absentmindedly click on a suspicious email’s link, maliciousness or desire for personal gain (and these last two represent less than 5% of breaches), people represent malware’s gateway into your network.

Given that email is the number one way that cybercrooks get into your system, this is a good place to start. It can be difficult, however, to measure the effectiveness of cybersecurity awareness training, protocols and stakeholder messaging, but you can – and should – track weekly, and report quarterly, on the items listed below.

Obviously, if the number start to climb dramatically, you would need to report on this immediately – and then again more frequently until numbers returned to “normal” levels.

• Actual numbers of, and percentages of, suspicious email that is flagged and/or quarantined by your email firewall and other security programs.
• Percentage of suspicious email that gets reported by stakeholders, both internal and external, and the response taken to this mail.
• Results from phishing simulations, and identification of users who are lured repeatedly, as they are high-risk to the organisation’s network security.
• Percentage of passwords that have been hacked and/or are still not robust enough.
• The number of emails that are available on the dark web. One of the free tools you can use to check for vulnerable emails: https://haveibeenpwned.com/.
• Percentage of employees that are moving data and/or files between different permission levels within the firm and/or out of the organisation, altogether. To be truly valuable, this data should be grouped by function.
• In most instances, senior executives also need to understand the concept of “least permission” also known as the Principle of Least Privilege (PoLP), and the policies that are being applied. With PoLP, users should only have access to specific resources, applications and data they need for the tasks they need to perform their specific roles in the company. Using this approach helps organisations reduce their attack surface and improve their security posture. So… if exceptions are being made, this needs to be reported on, as well as how it was handled
• In most instances, senior executives also need to understand the concept of “least permission” also known as the Principle of Least Privilege (PoLP), and the policies that are being applied.

As part of your reporting, it is also important to include your mitigation strategies – and to outline your contingency plans in case the yoghurt does indeed hit the fan.

Stakeholder Security, including digital supply chain security and third-party risk management

For this section, we are going to borrow from another of our own blog posts:

With increasingly distributed networks, growing adoption of digital applications and transactions, and with hybrid working a fact of life today, organisations are routinely creating virtual spaces in which stakeholders can work collaboratively. All to the delight of cybercriminal enterprises, because once entry is gained into one corporate portal, the marauders can hop, skip and jump their way seamlessly into the networks of other connected organisations.

The result is that multi-stage, multi-vector attacks have become the norm.

Today, it’s also highly possible that one of the stakeholders with whom you collaborate regularly, or one of the firms within your supply chain, manufacturers its products offshore.

One of these companies may do business with a company in Russia, Iran, North Korea or China (the top sources of nation-state threat activities, according to Microsoft’s Digital Defense Report 2022). Now, your network could be vulnerable to a nation-state threat vector. All it takes is the smallest of security shortcomings somewhere along the line, for a massive problem to be unleashed.  It’s akin to a small ocean wave encountering interference of some kind and being transformed into a rogue wave, which can be highly destructive.

This is not news to your senior team, so it will be important that you require implementation of the following, and then track and report on the related metrics:

• The cybersecurity posture of suppliers, distributors and other stakeholders connecting to your network – and how they compare against others.
• Results from penetration testing and other cyber security audits that your company chooses to require for organisations being given permission to connect to your network.
• Patch management protocols.
• A process for continuously monitoring of posture of your external stakeholders.

Incident Detection and Response + Testing Protocols and Practices

Equally important to showing that you are shoring up s cybersecurity shortcomings, is reassuring senior management that your team is able to detect and respond readily to various types of cyberincidents.

Among the metrics to track, assess and report on:

• The frequency and types of types of tabletop exercises and attack simulations in which you engage.
• How the red team scores against the blue team, what you learn from the exercises, and the protocols and practices you implement as a result.
• The actual number of, as well as percentage of, successful incidents in comparison with the intrusion attempts.
• Mean time to detect, to contain and to remediate.
• Mean time for full restoration in exercises that simulate going down to bare metal.

We hope you found this of interest. If you would like more information, please contact us at [email protected] or call us at 416.429.0796 or 1.877.238.9944 (toll free).

Otherwise, please check back in February for Part 3 in the series.