Security teams and boards of directors are experiencing a communications breakdown on risk. When CISOs and security teams share metrics and data with the board, they speak the language of IT: phishing attempts blocked, systems patched, percentages of endpoints running AV software. The board is listening with their ears tuned for the language of business: operational continuity, risk of outages, effects on profits and productivity, investments and sunk costs, and the likelihood of regulatory penalties or bad press.
Security talks numbers: updates, patches, mean time to repair (MTTR). The board talks numbers, too: dollars, headcount, chances of an attack. Both sides end up talking past each other. As a result, the story of what risks the company is facing gets lost. Without a clear understanding of risk, the company can’t act promptly and effectively to reduce cyber threats, such as data breaches and ransomware attacks.
That’s just one of the conclusions in a recent survey by Harvard Business Review Analytic Services, sponsored by Tanium. The survey, Organizations Struggle to Measure and Monitor Cyber Risk, provides a clear picture of the state of risk reporting in the corporate world today. The report’s conclusions offer useful advice to any security team or board of directors interested in better understanding risk and how to manage it.
The state of risk reporting today
The Harvard Business Review Analytic Services survey asked 180 respondents in middle, senior or executive management in companies around the world questions about security reporting and risk. Respondents generally agreed that senior business executives need better information about the substantial risks organizations are facing today.
- 70% somewhat or strongly agreed that senior business executives at their organization should be more concerned about their organization’s cybersecurity.
- 68% somewhat or strongly agreed that IT teams could do more to make sure senior executives are better informed about their organization’s cyber risk and cybersecurity.
If there are problems with cybersecurity reporting, it’s worth asking just how often this reporting gets done. The survey found that:
- 33% of security teams brief senior business executives about cyber risk on an ad hoc basis.
- 29% brief executives monthly.
- 24% brief executives quarterly.
- 7% brief executives annually.
- 7% brief executives rarely or never.
Ad hoc, annual, or — worst of all — rare reporting leaves business executives in the dark about risks that could cause serious damage to the organization. Executive teams can’t be expected to make the right decisions about risks if they’re not informed about them in a timely manner.
Another factor the survey considered was how the risks were reported. Did security teams present a long list of metrics being tracked over time? Did they opt for generalities? Or for some combination of metrics and themes?
The survey found that:
- 52% presented the overall risk status along with some metrics and benchmarks.
- 44% presented the general, overarching risk status with little or no benchmarks.
- 13% presented a comprehensive review, including many metrics and benchmarks.
Generalities, of course, may be too general to be useful. Metrics can be useful, but only if they’re framed in terms the senior business executives can understand.
For more details about the types of metrics and benchmarks being shared with executives, download the full report.
The importance of understanding risk
Most executives don’t have strong technology backgrounds. They struggle to understand security metrics, in part because it’s not clear how the metrics are aligned to the board of directors’ primary goals. Those goals typically include business continuity, profits, and maintaining regulatory compliance.
With those goals in mind, how should business executives respond to a report about ransomware trends, faster response times in the service desk, and the number of laptops that still need to have their operating systems upgraded? Executives can’t tell.
There’s a crucial translation that needs to take place. Security teams should be collecting metrics about the state of their IT infrastructure. But they need to translate those metrics into terms that are meaningful to the company’s business goals.
Security leaders must identify the metrics that make sense and matter to both teams, so everyone can speak the same language. These metrics produce insights that boards and security teams can act on together, while taking into account people, processes and technology.
Ultimately, business executives are in these meetings to make decisions. They need to know what to invest in and what policies to adopt, correct or abandon. They’ll make those decisions on the basis of the company’s larger goals involving financial stability and growth.
Research suggests that metrics should be related to the company’s finances. To establish that relationship, security teams need to understand how people, processes, and technology support the company’s business today.
They need to understand the specifics. For example, if the company’s new mobile app is driving growth, which IT systems does that app depend on? Which servers and databases are involved? Which operating systems and software packages are those systems running? Are any of those operating systems at risk because of a recently announced vulnerability?
Once this context is established, it’s easier for executives to understand what a risk about unpatched servers means in terms of their business. Reporting has enabled them to see how a security metric relates to a financial outcome: in this example, the potential outage of a revenue-generating app.
In the words of the HBR report: “CISOs need to cut back on technical metrics and put cyber risk in economic terms.” Those metrics and terms should be consistent from quarter to quarter, so that everyone, including security teams and business leaders, can understand where the company stands on the vital matter of cyber risk.
To learn more about the report and its findings, register for our webinar on April 27. In this live, interactive webinar, Alex Clemente, managing director of Harvard Business Review Analytic Services, will share insights from this survey about how organizations measure and monitor cyber risk.
He will then discuss the threat of cyber risk, and steps organizations can take to mitigate it, with Chris Hallenbeck, chief information security officer for Tanium. Clemente and Hallenbeck will discuss:
- How organizations can better facilitate communication on cyber risk
- The importance of using the right cyber risk metrics
- Why using too many metrics (especially technical metrics) can cause confusion
- How to keep executives focused on cybersecurity
If you want to know your organization’s IT risk posture, request a no-cost risk assessment and receive a comprehensive view of risk posture and proactive ways to protect your organization.