What Does the Board Need to Know? Business Metrics that CISOs Should Share – Third in a Four-Part Series

In this third installment of key data that CISOs should consider sharing with the companies Board members and senior decision-makers who are not part of the IT team, we’ll be covering Infrastructure and New Technologies.

1. Expanding Digital Footprints Increase Vulnerability – Part One in the Series
2. Data and Data Lake Segmentation
3. People, Phishing and Policies – Part Two in the Series
4. Stakeholder Security, including digital supply chain security and third-party risk management
5. Incident Detection and Response + Testing Protocols and Practices
6. Infrastructure – State of Current Architecture and Equipment +Future Needs Assessment
7. New Technologies, including Enterprise -Wide and Department-Level Applications as well as use of IoT, ML and AI
8. Investment Levels and Efficacy + Regulatory Compliance and Insurance Coverage
9. Vendors and Portfolio Management
10. Financial Asset Risks + ROI and Losses

In the first installment, we covered Points 1 and 2. Today the focus is on some of the security-related elements.

 Infrastructure – State of Current Architecture and Equipment +Future Needs Assessment

With In today’s business world of hyper-connectivity, widely distributed networks that often have internal and external stakeholders connecting into the system, and rapid adoption of emerging technologies, it is important that CISOs adequately communicate to senior decision-makers that it is no longer possible to create a fully-secure infrastructure. At least not one that will permit the organisation to scale, foster collaboration and innovation and achieve its growth goals.

Today, most people have heard the phrase, perhaps all too often, that “It’s not a matter of if, but when”.  That being said, IT departments and their leaders often come under extreme scrutiny if there is an incident. It helps when senior executives are well aware of where things stand in terms of infrastructure and upgrades.

Some of the data and metrics that you may wish to track and report on:

• Number and types of hardware/firmware and other equivalent equipment assets owned by the Company, and how that is changed since the last report.
• Number (actual number and percentage) of IT assets that are approaching “end-of-support” and “end-of-life”, along with timelines, recommendations about which ones to replace and how, and the attendant costs. After all, it is far easier to get budget amounts approved when the purse-string holders have plenty of advanced notice.
• Reminder of process is used to ensure secure configurations of all assets, with frequency/cadence included.
• Identification of automated versus manual processes for code review, etc., including percentages for each type, and headcount required for manual assessments.
• Patching protocols, frequency and results, for both software and firmware, including processes used for individuals’ devices, if the firm allows users to connect with their own devices.
• Number of devices on the network, along with report on unidentified and orphaned devices, as well as the number of devices requiring patching.
• Although it would have been included in your “Incident Response” report, the discussion of Zero Trust architecture deployment and the number of threats blocked by your endpoint solution, it should be included here, too, if reporting separately.
• Time required to address/repair “vulnerabilities”, along with data related to how these problems are addressed. In other words, which ones (specifics and as a percentage) are being addressed by internal resources, versus 3rd-party entities. Third-party SLAs should be included.
• Number of “vulnerabilities” that need to be addressed, along with the priority level based on potential impact to the organisation, timelines to address these problems, and potential impact on the organisation’s mission-critical problems are not resolved within a specific timeframe.
• Depth of network/infrastructure segmentation.

New Technologies

New Technologies, including Enterprise -Wide and Department-Level Applications as well as use of IoT, ML and AI will require frequent, and possibly more in-depth, reporting than has traditionally been the norm in your organisation. For many senior decision-makers, technology advancements are moving too quickly for them to stay on top of things, and still run the company.

For reporting purposes, you may wish to include the following:

• The number of applications being used by the organisation, and each of its locations and departments, and how this has changed over time. Including headcount cost savings would be good, if possible.
• The number of IoT devices being used within the organisation, in what departments, how that is changed since your previous report, along with the date of adoption and resulting impact to overall performance, including the bottom line.
• This will include the total number of IoT ports that are connecting to the enterprise network, broken down by location if yours is a distributed network/organisation.
• Depth of IoT segmentation from rest of network and the organisation’s other resources.
• Organisations have been using IoT devices for over a decade now, so it has become important to also report on the number of devices that cannot be patched or upgraded. Again, budget forecasting can be critical.

We hope you found this helpful. Please check back with us mid-March , for the final installment. In the meantime, we wish you a Happy Valentine’s Day!