What Does the Board Need to Know? Business Metrics that CISOs Should Share – 4th and Last in a Four-Part Series

In this final installment of key data that CISOs should consider sharing with the companies Board members and senior decision-makers who are not part of the IT team, we’ll be covering Infrastructure and New Technologies.

1. Expanding Digital Footprints Increase Vulnerability – Part One in the Series
2. Data and Data Lake Segmentation
3. People, Phishing and Policies – Part Two in the Series
4. Stakeholder Security, including digital supply chain security and third-party risk management
5. Incident Detection and Response + Testing Protocols and Practices
6. Infrastructure – Current Architecture and Equipment +Future Needs Assessment – Part Three in the Series
7. New Technologies, including Enterprise -Wide and Department-Level Applications as well as use of IoT, ML and AI
8. Investment Levels and Efficacy + Regulatory Compliance and Insurance Coverage
9. Vendors and Portfolio Management
10. Financial Assets

Investment Levels and Efficacy + Financial Assets

In the past 24 months, there has been exponential growth in the adoption of application, as well as the acquisition and use of other digital assets.  Today, larger enterprise-level organisations typically allocate  5- 10% of their IT budgets to cybersecurity; and SMBs this percentage is often higher.  Regardless of company size, this is a critical investment as it impacts an organisation’s digital risk level – and potentially its future financial viability.

It goes without saying, of course, that overall IT spending must align with both short-term business priorities, and the longer term business growth goals and vision.

As it is the fiduciary responsibility of company directors to ensure that funds are being allocated properly, the senior management team typically looks for monthly and quarterly on most, if not, of the following:

• Year to Date, and Month-over-Month, the amount spent on applications, hardware and software, and IT services, both internal and external.
• Actual IT “spend” vs. Plan(both under and over plan), with stats and rationale for the variance. It is important to identify – and correct, if necessary – major anomalies before they become problems for the corporation, perhaps even impacting mission-critical functionality.
• An assessment of how projects are performing: What percentage is on time and within budget? Are the object is being met? If not, or if budget overruns are high, recommendations should be included as to whether or not to pull the plug on the project.
• Number and types of hardware/firmware and other equivalent equipment assets owned by the Company, and how that is changed since the last report.
• Number (actual number and percentage) of IT assets that are approaching “end-of-support” and “end-of-life”, along with timelines, recommendations about which ones to replace and how, and the attendant costs. After all, it is far easier to get budget amounts approved when the purse-string holders have plenty of advanced notice.
• How much of what is being spent, or proposed/budgeted, in percentages and actual dollars, is CapEx and how much is OpEx – and what possibilities exist for moving more items into OpEx, if the cost savings warrant such a move.

Regulatory Compliance and Insurance Coverage

Insurance company loss ratios have been over 60% consistently for the past five years, causing some insurance underwriters to discontinue the coverage. Others are raising their premiums to compensate.

Globally, premiums increased 94% from 2019 – 2022, and similar increases are being applied in Canada.

In addition to raising premiums, insurance companies have become much stricter when it comes to cybersecurity requirements that must be met by organisations for policies to remain in effect, and for a proper payout to occur if (when?) the company is breached.

In our “Underwriters are Protecting their Flanks” blog post, we cover some of the questions they ask.  In terms of reporting to the Board and your C-Suite counterparts, here are a few suggestions:

• The date of your last security audit and/or penetration testing and the results.
• What changes in polices, protocols, personnel, hardware and/or software solutions are needed to respond to all elements deemed “deficient” in the security audit – and an identification of what items are truly pressing and need to be dealt with within the next quarter. Costs should be included, too, of course.
• An identification of what elements from above are needed to be fully compliant with the insurance policy requirements. In many instances, insurance companies will honour/allow the policy if they are given a concrete plan for when all non-critical items will be addressed, you can prove that the plan is being adhered to, if you do get breached.
• The frequency and method of backing up and testing the restore capabilities, or your data, operating systems, and overall network architecture.
• Many insurance companies are also starting to require that firms show they have solid disaster recovery plans and processes in place, so communicating the key elements from your plans – and showing how it is reviewed quarterly – to part of this report.
• Details about the frequency of your cyberattacks simulations and the results – along with recommendations for any changes you feel are warranted in terms of training, employee data access, etc.
• Employee training will frequency by department/role.

Vendors and Portfolio Management

In Part Two in the Series, we talked about the importance of removing stakeholder access as soon as their roles changed and/or they stop doing business with your organisation.

Reporting this category includes:

• Number of internal stakeholders accessing the network, along with what percentage are doing so as 100% remote workers, what percent is hybrid and what percent works 100% on premises. As part of this metric, it is important to relay how this changes quarter by quarter, and to indicate how personnel access. By department and/or role.
• The total number of vendors connecting into the network and/or partner portal, along with your processes for vetting vendors before granting them access.
• How access is granted to external stakeholders, including clients, vendor partners, other supplier, distributors, agents and other facilitators.
• Protocols and processes in place for verifying that any document being uploaded by a stakeholder is virus free – or as close to it as possible. As part of this, there needs to report on the number of documents that have been quarantined, and an identification of vendors whose access should be limited because of risk factors. Note: Some companies prevent photos from being uploaded by external stakeholders, as there is a higher likelihood of a photo containing malicious code, that is the case for Word documents.
• Protocols for automatically removing vendors, clients and other stakeholders – with corresponding stats for the quarter.

We hope you found this series of helpful. Please check out our other posts, or contact us to see how else we might be of help with all your network and endpoint needs: [email protected], 416.429.0796 or 1.877.238.9944 (toll free).