Board-Level Cybersecurity Metrics

In brief: This tool outlines the metrics that boards can use to measure the effectiveness of the corporation’s cybersecurity program. With this understanding, boards will be well prepared to advise management teams on cybersecurity threats that may need to be addressed. This tool originally appeared in the publication, Cyber-Risk Oversight 2020: Key Principals and Practical Guidance for Corporate Boards. 

This resource can help your board to

• consider key metrics to assess board-level cybersecurity issues,

• provide management with oversight for cybersecurity plans using metrics, and

• pose questions to management around strategic cybersecurity metrics.

Most relevant audiences: Risk committee chairs, risk committee members, and CISOs

OBJECTIVE OF THE TOOL: 
Modern businesses are increasingly data driven. Boards now routinely use metrics to help inform their strategic and oversight functions on finance, market competition, marketing sales, etc. This Tool describes how metrics can be used to measure the effectiveness of cybersecurity programs and offers advice on how boards can leverage those metrics to conduct oversight of their organization’s cybersecurity programs.

Typically, directors rely on management to develop these metrics and present them in a fashion useful to the board’s oversight mandate. Cybersecurity is not substantially different in this respect.

However, the development of useful cybersecurity metrics has been an evolutionary process. Moreover, with digital technology and underlying systems constantly changing and affecting a growing number of enterprise activities, the type of cybersecurity metrics at both the management and board level need to evolve, as well.

Traditionally, cybersecurity briefings have been relegated to segregated reviews given during a designated portion of a board meeting. However, as discussed in Principle 1 of this Handbook, cybersecurity issues are best addressed when considered as an inherent part of business decisions, such as decisions on strategic partnerships, new products, M&A, etc., and ought to be addressed in the formative stages of these discussions. As a result, different types of metrics may be more appropriate for specific business topics than more generalized cybersecurity metrics, which may be more appropriate for a comprehensive, system-wide review given in the traditional separate board discussion. Relying on these generalized metrics—other than for compliance purposes—can actually create a false sense of security. A 2019 study by Forrester on the issue concluded, “Traditional metrics paint an incomplete picture and can leave companies blind to potential risk.”