Blog Post
The Cybersecurity Metrics That Matter Most in the Boardroom
October 22, 2024
The Challenge of Elevating Cyber Risk Into the Boardroom
As the cost and frequency of cyber events grow, technologies evolve, and regulatory bodies enact stricter cybersecurity laws on the market, it’s become exceedingly clear that elevating cyber matters to the boardroom is a strategic imperative. In 2021, Gartner reported that 88% of board members already recognized cyber risk as a significant business risk, a figure which has no doubt risen even further in the wake of the US SEC cyber regulations, the NIS 2 Directive, DORA, and the catastrophic 2024 CrowdStrike outage.
But with cybersecurity now a board-level priority, many stakeholders have simultaneously become overwhelmed by abstruse cyber concepts. Although learning more about the organization's cyber exposure is generally helpful, many of the traditional cyber KPIs are highly technical and fail to communicate tangible insights to those without the relevant expertise or training, consequently enlarging the gap that had previously disconnected chief information security officers (CISOs) from board members.
Nevertheless, there are countless CISOs working with boards worldwide across industries who have recognized this communication challenge and taken proactive measures to learn how to talk about security in broader business terms, leveraging strategic cyber metrics that resonate with board members and minimizing the divide between technical cybersecurity details and overarching goals.
Asking the Cybersecurity Experts
On a mission to uncover the most effective cybersecurity metrics for the board - those that help CISOs achieve their departmental goals while enabling board members to tangibly understand cyber risk exposure - Kovrr reached out to leading cybersecurity practitioners. We sought to gain deeper insights into what truly works for bridging the gap between cyber complexities and strategic oversight and to share these findings with others who may still be facing similar obstacles.
While we received many valuable responses, this article highlights insights from the following experts:
- Royce Markose, CISO, Vistrada
- Benjamin Corll, CISO in Residence, ZScaler
- Jessica Nemmers, Field CISO, Flair Data Systems
- Wai Kit Cheah, CISO, Asia Pacific, Lumen Technologies
- Sue Bergamo, CISO, BTE Partners
- Douglas Brush, Interim CISO for Regulatory and Legal Compliance & Court Appointed Neutral
- Dr. Rebecca Wynn, Global Chief Security Strategist & CISO, Click Solutions Group
Each of these cybersecurity leaders answered three questions.
- What do you think are the most important cybersecurity metrics for the board and why?
- Have you ever been in a high-level meeting in which you communicated with metrics that weren’t easily understood by your audience? If yes, which metrics were those, and what did you do to make sure that, next time, you leveraged more appropriate ones?
- What are the most common questions you receive from board members looking to better understand the organization’s cyber risk exposure?
Through their responses, these seasoned CISOs offer practical guidance to others, sharing their personal experiences on what has worked best to effectively communicate cyber risk at the board level. They emphasize strategies for translating technical cybersecurity concepts into business-relevant insights to enhance collaboration with board members.
The Most Important Cybersecurity Metrics for the Board
Plainly, choosing the right cybersecurity metrics is essential for ensuring board members have a clear understanding of the organization's cyber risk landscape. Otherwise, CISOs risk perpetuating the misconception that cyber is a resource drain, one that is too complex to be integrated within the larger enterprise risk management (ERM) strategy.
Benjamin Corll: Communicate the Impact
“Boards care about scorecards more than technical metrics. [They want to know if] we’re on track against what we said - operationally, financially, and for the overall program. They don’t want to see phishing click rates or awareness training percentages…[and] they don’t care about 33 million firewall blocks in the last month. They only want to know the things that had a business impact!”
Jessica Nemmers: Provide a Dynamic View
“Risk appetite alignment metrics…which highlight the current risk exposure as it relates to the expectations set by the board. I often refer to items captured on the risk register and the status of their remediation. I also present new threats related to risk that leaders had previously accepted….Tracking risk reduction or increase over time is also important because it provides the board with a dynamic view of how the organization's cyber risk posture is evolving and the strengths and weaknesses in cyber risk management.”
Wai Kit Cheah: Leverage Quantifiable Metrics
“When it comes to communicating the organization’s cybersecurity posture to board members, we need to consider metrics that are closely aligned with the business goals and risk appetite, preferably quantifiable. Some of the metrics I would recommend are:
- Quantified risk exposure: Financial estimates of potential business impact or losses from cyber incidents based on identified risks. This is critical as it translates technical risks into business impact.
- Third-party risk metrics: First, frequently report the results of security assessments on third-party suppliers or vendors, including their compliance with relevant industry standards and regulations. Based on their risk levels, classify and rate each of them according to the sensitivity of the data they handle and their security posture.
- Incident metrics: Communicate the number of cyber incidents detected, investigated, and reported (in a given period) by their severity and their impact on the organization.”
Sue Bergamo: Keep It Business-Related
“CISOs need to balance their messaging to the board without giving them too many details as to what is happening at the back end of their shops. Contrary to public belief, the board doesn’t need or want all of the details on a cybersecurity incident...The CISO should focus the metrics on anything that impacts revenue, fraudulent activities, or brand reputation – that’s it. The board will ask questions as needed regarding the information presented. Experienced CISOs know how to offer a concise conversation.”
Overcoming Misunderstood Metrics and Improving Future Board Reports
Boardroom reporting and high-level communication are skills that don't necessarily come naturally, especially to those accustomed to demonstrating their value using technical and operational terms. Learning how to speak the language of the board is a trial-and-error- process and requires CISOs to continuously review and adapt their mindsets.
Douglas Brush: Let’s Talk About Money
“When board members are confused or getting bogged down by some technical aspect, that’s when I say, ‘Okay, let’s stop talking about risk and start talking about money.” [Money] is what these stakeholders care about, and when I start talking about money and how we’re going to save money, it changes the entire conversation and board members start to understand.”
Dr. Rebecca Wynn: Emphasize the Effectiveness
“I once presented the number of detected vulnerabilities and the volume of phishing emails blocked. While these metrics seemed important from a technical standpoint, they didn’t resonate with the board, as they lacked clarity on how these numbers impacted business risks. After recognizing this, I shifted my approach for future meetings.
Instead of focusing on raw numbers, I emphasized the percentage of critical vulnerabilities remediated and the effectiveness of employee phishing awareness. I also started using metrics like “Mean Time to Detect” and “Mean Time to Respond” to show how prepared we were to handle incidents that could disrupt operations.”
Sue Bergamo: CISOs Learn the Hard Way
“CISOs learn the hard way [about the importance of choosing the right metrics] after the first time that they are asked to attend an executive meeting (not a board meeting), and the level of detail they provide causes concern and angst. The best advice here is to not go into too many details and to stick with high-level metrics regarding what the GRC team is working on and anything to do with sales and the size of the deal…Again, this information should be focused on impacts on revenue or brand reputation.”
Royce Markose: Shift Metrics to Align With Business Outcomes
“Early on, I presented highly technical metrics such as firewall rule counts, vulnerability scan totals, and intrusion attempts detected. These were important from an operational perspective but didn’t resonate with the board because they didn’t tie directly to business impact.
To address this, I shifted my communication to focus on metrics that aligned with business outcomes. For example, instead of discussing vulnerability scan counts, I framed the discussion around risk reduction—how patching vulnerabilities minimizes the likelihood of a costly breach.
I also used relatable analogies. For example, I compared patch management compliance to regular health check-ups in a doctor’s office. Just as routine check-ups prevent minor issues from escalating into serious health problems, regular patching prevents small vulnerabilities from being exploited.”
Jessica Nemmers: Tie Technical Concepts to Relatable Areas
“The hardest metrics have been around vulnerability and patch management and how certain vulnerabilities can result in risks to operations, financial standing, and/or reputation downstream. If I was unsuccessful in communicating these risks, I would go back to my teams and ask them to help me explain the risk in different terms using analogies. I always try to tie technical concepts to areas that everyone can identify with, such as protecting one’s home or the assets inside.”
Most Common Cybersecurity Questions from the Board
Board members are increasingly seeking clarity around their organization's cybersecurity posture, but only around specific areas such as risk exposure and preparedness. Knowing the questions they're most likely to ask not only allows CISOs to anticipate concerns and provide more targeted answers but also offers insights into how to adopt a 'business-first' mindset.
Wai Kit Cheah: What Are Our Biggest Cyber Risks?
“Board members commonly want to understand their overall risk profile or how vulnerable the organization is to specific cyber threats. For example, what are our biggest cybersecurity risks, and how are we addressing them? As the risk profile of an organization is dynamic and changes over time, providing regular updates on the risk profile (quarterly or biannually), highlighting emerging threats, and the effectiveness of the current security program is important.
The board might also be interested in learning how their organization’s security posture is benchmarked compared to industry peers. Benchmarking allows the board to understand if their performance is up to par or if there are gaps that need addressing or areas for improvement.”
Royce Markose: How Likely Is a Significant Breach?
“Board members often ask the following questions:
- What is the organization’s risk exposure to critical business systems, and how likely is a significant breach? They want to understand the scope and potential impact of a major cyber incident on the business.
- How prepared are we to respond to a major incident, and what’s the expected recovery time? Board members are interested in the organization’s resilience and readiness to handle significant incidents.
- What are the potential financial and reputational impacts of a cyber event? The board is keen to know how cyber risks translate into financial and reputational losses.
- What steps are we taking to mitigate third-party risks? With the rise of supply chain attacks, understanding the risks posed by external vendors and partners is a growing concern.”
Benjamin Corll: What Events Would Create a Material Impact?
“They truly want to know what the risks are, how we’re managing them, what events are likely to happen that would create a material impact, and how resilient our program is if any of these scenarios occur. The board sets the security risk appetite and defines tolerances. I build my program around those policies and guidelines.”
Dr. Rebecca Wynn: What Are the Most Critical Risks Right Now?
“The most common questions I receive from board members about the organization’s cyber risk exposure usually focus on understanding the real business impact rather than technical specifics. They often ask, “What are the most critical risks we face right now?“—wanting to know which vulnerabilities or threats could significantly disrupt the business rather than just how many were detected.”
Bolstering Boardroom Alignment Through Business-Focused Cyber Metrics
As CISOs slowly but surely embed cyber risk management into high-level decision-making processes, board members, too, want to know how to incorporate it into their governance and oversight programs. This growing demand, as the experts have pointed out, requires that cybersecurity leaders shift their focus away from technical jargon and instead present metrics and KPIs regarding their organization's cyber exposure in a manner that aligns with strategic business goals.
Indeed, boards are no longer content with accepting a CISO's technical terms at face value - terms that often hold little meaning for them and risk isolating cybersecurity from broader business discussions. Instead, they seek a deeper, more tangible understanding of how cyber risks directly impact the business's bottom line, such as how an event may affect revenue, reputation, and operational resilience.
Those CISOs that have been successful in cybersecurity board reporting have learned through experience that the key to effective communications lies in migrating away from complex operational metrics and towards this broader business language. By doing so, they've managed to foster more informed discussions, enabling the board to recognize that cybersecurity is not a resource drain but, rather, a critical enabler of long-term market success.
Translating Cyber Metrics Into Tangible Boardroom Terms With CRQ
One of the most straightforward means of translating the more technical aspects of cybersecurity into terms that resonate with the board is to harness on-demand cyber risk quantification (CRQ). CRQ offers easily communicable insights into an organization’s unique cyber risk exposure, such as the likelihood of various events and loss scenarios occurring, along with the respective financial and operational damage.
To learn more about how CRQ can help you bolster board-level discussions and position cybersecurity as a strategic business enabler within the broader ERM context, schedule a free demo with Kovrr today.