These are the metrics that boards of directors will find useful because they help map security investments with strategic goals and risks. Cybersecurity pros interested in metrics and measures frequently ponder and pontificate on what measures would be best to show the board of directors. That can be a tricky proposition because “we have to speak like the business” is also a mantra. Coming up with cybersecurity metrics from a business perspective can be a challenge. So how can we solve this problem and provide useful insight?Well, first we have to recognize that the board level is the highest strategic level in the company. If you provide metrics on patch status and phishing test results, you are essentially admitting that your cybersecurity program is built on a few hodge-podge activities and a prayer.Cybersecurity pros often malign the “red-yellow-green” types of indicators, but keep in mind that the board doesn’t need technical details or variances. If they can get by with “sales per square foot” metrics in retail stores that sell smartphones and candy bars or “bed utilization” measures for hospitals that treat dehydration and conduct brain surgery, they can work with “bigger picture” scales on three to five levels. “Red-yellow-green” isn’t completely out of the question as long as the levels are defined and have details that explain them. The bigger challenge now is that board members are increasingly becoming liable for negligence, and they really should and do want more insight. Top cybersecurity questions from corporate boardsNow we revert to where we started – trying to provide business-oriented board members with technically oriented cybersecurity data at a strategic level. It may be helpful to set a baseline of what board members really want to know about cybersecurity in any company. Here are their top five questions: Are we secure? This question is the bane of many a cybersecurity pro’s existence because the answer now and always will be “no” from a literal 100% protection standpoint. If we rework the question to “what is our exposure level?” we can start to make headway.Are we compliant? This question is often easily answered with audit results but may provide no real comfort due to its “point-in-time” perspective that can change at a moment’s notice. Better to assess our cybersecurity program using a control framework.Have we had any (significant) incidents? Board members will be well-aware of any significant incidents, so this question is usually answered with details as well as estimates regarding costs and potential liability.I said there are five questions, but the three above are the ones that are typically articulated. These final two are implied as a standard element of good board management:How effective is our security program? Quality first.How efficient is our security program? And then quantity.Cybersecurity metrics for corporate boardsAs we build out our program, our goal should be to directly translate the most detailed technical data into a strategic framework that is understandable at the business level. We should also factor in the fact that board members are not stupid, and they can learn anything they need to that helps them make strategic decisions. Technology is taking over their lives just like ours, and with the entire world going through digital transformation, it has been amazing how easily they have picked up SaaS metrics as needed. We are going to work with metrics on:IT assets (number of users, devices, servers, apps, etc.)Usage activity (sessions, flows, messages, etc.)Process controls (user account create/modify/delete; vuln detect/patch, incident detect/respond, etc.)Real-time (inline) controls (antimalware, firewall, email security, etc.)IncidentsHere is a good core set of board metrics that provide strategic insight into the enterprise cybersecurity program:Cyber risk: the percentage of inappropriate usage activities out of all usage activitiesCybersecurity efficacy: percentage reduction in cyber risk provided by the real-time cybersecurity controlsCyber exposure: average number of usage activities per IT assetCyber resilience: average number of real-time controls applied for each usage activityRisk aversion ratio: the willingness to accept productivity impairment (e.g., password failures, false positives) compared to the malicious activity allowed or denied (true positives plus false negatives)In addition, we need to factor in costs and value. After all, financial information is the lingua franca of the business world:Loss to value ratio: spending on cybersecurity including incident losses compared to financial value provided by IT assets.Control cost per IT asset (probably application): allocated costs of cybersecurity controls by IT assetRisk reduced per unit cost: financial value of reduced risk compared to total cybersecurity spendingLook at the board proceedings and earnings call transcripts for publicly traded companies, or even the vast number of financial ratios on your favorite investing websites, and you will see that the metrics described above are at a much more appropriate strategic level than the mishmash of patch levels and malware found.If we want executives to take cybersecurity seriously in the enterprise, this is the way to get there. Related content news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to give security teams information to inform approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins Google Cloud Functions Cloud Security Security Software brandpost Sponsored by Elastic Search + RAG: The 1-2 punch transforming the modern SOC with AI-driven security analytics AI is modernizing how SOCs function, triaging countless alerts down to a handful of attacks that matter most. By Mike Nichols, Product for Security at Elastic May 06, 2024 3 mins Artificial Intelligence how-to Download the Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of our sister publication Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and steve_zurier May 06, 2024 1 min Zero Trust Access Control Network Security news Germany blames Russian hackers for months-long cyber espionage The attacks by Russia-backed Fancy Bear used an Outlook exploit to compromise several German officials’ accounts. By Shweta Sharma May 06, 2024 4 mins Advanced Persistent Threats Hacker Groups PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe