Skip to content
The Gazette. Learn something new today and every day.

More Stories

Cyber Sunday: Boards need to be up to speed on cybersecurity

It’s critical to managing risks to the business

By Brandon Blankenship, - Cyber Sunday columnist

Aug. 18, 2024 5:00 am, Updated: Aug. 19, 2024 3:53 pm

If you’ve built the cybersecurity program for your company, senior leadership needs to understand that your program is effective. And that includes both operational leadership and, increasingly, boards of directors.

Historically, IT and cybersecurity has been relegated to the corner, and too often that suits everyone just fine. In 2024, the stakes are too high for IT to simply do its own thing without board oversight.

I’ll acknowledge that reporting metrics to the C-Suite can be somewhat different that reporting metrics to a board of directors.

A crucial role of the board is to manage risks, and cyber risks can play a big part in their fiduciary and oversight responsibilities.

According to Gartner Cybersecurity, 88 percent of board members said cybersecurity is a business risk that belongs to the organization as a whole. I’m surprised the number was that low.

In short, cybersecurity is a sustained business risk, not only an IT concern.

SEC rules

Late last year, the federal Securities and Exchange Commission introduced new cybersecurity rules.

Some rules focus on mandatory disclosure of breaches and scheduled and recurring risk assessments and penetration tests. Most interestingly, however, they push for cybersecurity knowledge at the board level.

The reasoning behind the rule is clear. We understand that boards should encapsulate financial and legal knowledge and, because of this, boards tend to have at least one chief financial officer and at least one attorney.

Because of the changing threat landscape, the SEC acknowledges that boards need to be equipped to ask about and understand the risk reduction strategies in IT.

Many boards are already doing this, and this guidance is a refreshing validation that boards are moving in the right direction. There is nothing that IT and cyber doesn’t touch, and having someone with technology chops on your board makes good business sense. They can ask the pertinent questions and understand the underlying concepts.

Metrics 101

If you’re a chief information officer (CIO) or a chief information security officer (CISO), what metrics should you show a board and how should you package the presentation?

The good news is that the National Association of Corporate Directors published guidance with the Internet Security Alliance on the format of that presentation.

Board members tend to be on more than one board, and they are likely used to seeing things in a certain format. Of course, all organizations are different, and different boards want different things, often based on their industry.

However, there are trends:

  • Track what is useful and relevant to your organization. A good overall rule for metrics is to not report on something you have no power to change. You wouldn’t report the number of times your external firewall was scanned last month (it’s a lot), just like you wouldn’t report the inches of rain last month.
  • Don’t report metrics just to report them.
  • Whatever is measured will improve. If you measure performance by mouse wiggles, then your employees will simply wiggle the mouse every few minutes versus actually providing value to your business.
  • I like to include a slide on vulnerability management that shows if we’re patching our systems in a timely manner. A simple metric is the number of critical vulnerabilities older than our Service Level Agreements, and a trendline showing if we’re pushing those vulnerabilities down over time.
  • Usually, there’s an end user cybersecurity training slide that has “click rate,” “phish rate,” or the percentage of end users that coughed up their passwords to a potential attacker. This graphed over time will paint the picture if our security training is changing behaviors.

Aim for clarity

A word of caution. Be very careful with charts. Charts should answer questions, not raise questions. You must know the source of every data point on your charts and be able to quickly articulate exactly what you’re measuring.

If you’re not prepared to answer four questions deep on your graphs, then you should rethink what you include. If your graph is too busy and doesn’t immediately clarify a concept to your audience, you are inviting trouble.

Brandon Blankenship is the chief information security officer at ProCircular, an Iowa cybersecurity firm, a cybersecurity evangelist and a board member of SecMidwest, a community outreach and cybersecurity education group. Comments: bblankenship@procircular.com

Article Tags Cyber Sunday, Technology
Date Time Location Previous Next chevron-circle-right Funeral Home Facebook Bluesky X/ Twitter Linkedin Youtube Instagram Tiktok Reddit Email Print Buy RSS Feed Opens in new tab or window PDF
Daily NewslettersDaily Newsletters

Share this article: