Should Operational Security Be Discussed With the Board?
I’m Jeffrey Wheatman, Cyber Risk Evangelist at Black Kite. If you ask my family (and to be fair, most of my friends), they will tell you I never admit when I’m wrong. I disagree. I would, or rather would have, admitted I was wrong if it ever happened.
For a long time, I’ve been advising security and risk professionals that under no circumstances should they be going to their board of directors and showing them operational metrics. Full stop!
So, here it comes…I think I may have possibly been mistaken … maybe. Wow, this is harder than I thought.
I WAS WRONG
We know that boards are increasing their focus on cybersecurity, (exhibit 1, 2, 3, etc.) and it is inevitable that board members are asking more questions of CIOs and CISOs. My extensive involvement with CIOs and CISOs being called in front of their board has indicated that boards tend to ask questions that tend toward more technical subjects, like vulnerabilities, threats, incident response and data security – in other words operational topics. I used to tell CISOs to push back and say things like ‘well, we could share that, but it won’t help with managing business risk, so instead we are going to answer a different question – one that you didn’t ask.’
In retrospect this comes off as disrespectful, pedantic, and condescending. Frankly, it doesn’t make the CISO or CIO look very good. So, yeah, sorry about that.
What I have come to realize is that nobody is interested in being told (explicitly or implicitly) that they are asking the wrong questions. What I would like to propose is that we create and report a set of metrics that are operational in origin, but are target-based and clearly tied to business goals.
For example –
| Instead of this … | Tell them this … | Because |
|---|---|---|
| We have 325,098 open vulnerabilities this month | We are patching 95% of our business-critical systems within 3 days of a patch being made available. | Patching within an agreed upon time frame allows us to manage the impact on revenue to within our risk appetite (in other words, we patch, and the revenue stays on track) |
| We had 349 incidents last quarter | We lost 17 hours of uptime (against a quarter target of 4 hours downtime) due to a ransomware incident on our billing system. | Billing is connected to revenue, and we only had 1 incident that had a financial impact this quarter |
| We conducted 723 assessments of our third party | Of our third parties deemed business critical, 40% fall below our defined minimum threshold. | We depend on our third parties to run our business and if they don’t do a good job, we are by extension exposed |
One of my friends and former colleagues (Tina Nunno) has said “if you give data to the board, you need to also interpret it for them. Rest assured, if you fail to do so, they will take away the exact wrong message.”
What should you do now? Take a look at the metrics you have and see how you can group them, combine them, slice and dice them, and otherwise tweak them so that (1) you are reporting based on agreed upon targets, and (2) are clearly connected to business goals such as revenue, downtime, availability, etc.
Stay safe, stay healthy, stay secure.
Wheatman, out!