Jan 23, 2020
All links and images for this episode can be found on CISO
What metrics, reports, or strategies should a security
professional utilize to communicate the value to the board? Or is
the mode of "presenting to the board" a damaged approach?
Check out this post for the discussion that is the basis
of our conversation on this week’s episode co-hosted by
Spark (@dspark), the
producer of CISO
Series and Allan
Alford (@AllanAlfordinTX). Our
guest is Barry
executive leadership partner, Gartner.
Thanks to this week’s podcast sponsor,
Anomali is a leader in intelligence-driven cybersecurity
solutions. Anomali turns threat data into actionable intelligence
that drives effective security and risk decision making. Customers
using Anomali identify cyber threats from all layers of the web,
automate blocking across their security infrastructures, and detect
and remediate any threats present in their
On this episode of Defense in Depth, you’ll learn:
- A conversation with the board begins with a discussion of what
risk is. But getting that information out of the board is far from
a simple task. Vague answers are not helpful.
- Metrics are of value to the board, but avoid offering up
tactical metrics. Instead, utilize strategic metrics.
- Once risk appetite is understood and agreed upon, then it's
appropriate to begin a discussion of the security program's
- Caplin recommends a four-slide presentation for the board:
- Where we were, problem areas identified per risk and
- What we spent and a bit of why we spent.
- Where we are now (metrics come into play here). Best to show
how much progress you've made in implementing security
- Where we want to go next, and what the next ask is.
- If you're going to show a metric, it should answer a very
specific question for the board.
- If you are going to show one metric, the most popular one is
dwell time or the time between when an attack happens, when you
discover it, and when it's remediated.
- The one metric of dwell time provides a lot of information as
to the maturity of a CISO's security program as it coincides with
its ability to respond to incidents.
- Some CISOs aim for a storytelling approach completely avoiding
metrics because metrics have unfortunately led the board down the
wrong path. It's either the wrong metrics, too detailed of a
metric, or metrics not tied to business risk or to a maturity