Getting the Right Cybersecurity Metrics and Reports for Your Board

In the 2017–2018 NACD Public Company Governance Survey, 22 percent of corporate directors said they were either dissatisfied or very dissatisfied with the quality of cybersecurity information provided by management.

We’re not surprised. In most cases, management still reports on cybersecurity with imprecise scorecards like red-yellow-green “heat maps,” security “maturity ratings,” and highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.

Boards deserve better. We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake. Management can and should deliver reports that are:

• Transparent about performance, with economically-focused results based on easily understood methods.
• Benchmarked, so directors can see metrics in context to peer companies or the industry.
• Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation, security controls, and cyber insurance.

While that level of reporting may still be aspirational for some companies, directors can drive their organizations forward by asking the following five questions, and demanding answers backed by the sorts of metrics and reports that we suggest below.

Before we get to the questions, there’s an over-arching prerequisite for sensible reporting: Every key performance and risk indicator should be tracked against a target performance or risk appetite, respectively.

That means defining risk tolerances in an objective, clear, and measurable way—for instance, “our critical systems downtime should always be less than one percent”—so that an analyst’s gut feelings aren’t determining results.

1. What is the threat environment that we face?

The chief information security officer or chief risk officer should paint a picture of the threat environment (cybercriminals, nation-states, malicious insiders, etc.) that describes what’s going on globally, in our industry, and within the organization. Examples of good metrics and reports include:

• Global cyber-related financial and data losses
• New cyber breaches and lessons learned
• Trends in ransomware, zero-day attacks, and new attack patterns
• Cyber threat trends from ISACs (information sharing and analysis centers)

2. What is our cyber-risk profile as defined from the outside looking in?

Boards should get cyber-risk assessments from independent sources. Useful sources of information include:

• Independent security ratings of the company, benchmarked against peers
• Third-party and fourth-party risk indicators
• Independent security assessments (e.g., external consultants and auditors)

3. What is our cyber-risk profile as defined by internal leadership?

Management should provide assessments with tangible performance and risk metrics on the company’s cybersecurity program, which may include:

• NIST-based program maturity assessment
• Compliance metrics on basic cyber hygiene (the five Ps): passwords, privileged access, patching, phishing, and penetration testing
• Percentage of critical systems downtime and time to recover
• Mean time to detect and remediate cyber breaches

4. What is our cyber-risk exposure in economic terms? Based on the company’s cyber-risk profile, the central question is: What is the company’s potential loss?

In the past 30 years, we have seen that question answered in economic terms in each and every risk discipline in ERM: interest rate risk, market risk, credit risk, operational risk, and strategic risk. Now we need to address that question for cyber risk. This expectation can also be found in the U.S. Securities and Exchange Commission’s new guidance on cybersecurity disclosures and its focus on quantitative risk factors.

The Factor Analysis of Information Risk (FAIR) methodology is a widely-accepted standard for quantifying cyber value-at-risk. The FAIR model provides an analytical approach to quantify cyber-risk exposure and meet the heightened expectations of key stakeholders.

In the current environment, directors should demand more robust reporting on metrics such as:

• Value of enterprise digital assets, especially the company’s crown jewels
• Probability of occurrence and potential loss magnitude
• Potential reputational damage and impact on shareholder value
• Costs of developing and maintaining the cybersecurity program
• Costs of compliance with regulatory requirements (e.g., the EU’s General Data Protection Regulation)

5. Are we making the right business and operational decisions?

Cyber is not simply a technology, security, or even risk issue. Rather, it is a business issue and a “cost of doing business” in the digital economy. On the opportunity side, advanced technologies and digital innovations can help companies offer new products and services, delight their customers, and streamline or disrupt the supply chain. As a top strategic issue, management should provide the board with risk and return metrics that can support effective oversight of business and operational decisions, such as:

• Risk-adjusted profitability of digital businesses and strategies
• Return on investment of cybersecurity controls
• Cyber insurance versus self-insured

We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management. Based on our own observations of board reports on the quality of cybersecurity reporting, there remains significant gaps. We hope our article will serve as a framework for directors and executives to discuss ways to close those gaps.