As cybersecurity concerns grow, leadership is searching for the metrics and insights that matter. At the end of last year, Protiviti sponsored a Cyber Summit in Chicago with speakers from Northwestern Mutual, First Midwest Bank, Zebra Technologies, and ParkerGale Companies. We were also joined by Doug Hubbard, author of How to Measure Anything in Cybersecurity Risk. The talks centered on how cybersecurity metrics can be used to communicate effectively with the board. Below is a summary of the topics.
Stop Overcomplicating Risk Reporting
Forum attendees first heard from Doug Hubbard, who spoke about how to simplify risk reporting. Mr. Hubbard stressed the importance of developing insights based on probability, leveraging statistical analysis to support decisions that are data-driven and based on optimal resource allocation. The greatest cybersecurity risk, according to Mr. Hubbard, is in the way risk itself is measured. Too often, cybersecurity experts rely on sources that are not data-driven, he said, and he challenged organizations to drop the well-established “risk matrix” approach in favor of statistical analysis to reduce uncertainty.
Reporting to Five Different Boards – A CISO’s Journey
Sheldon Cuffie, Chief Information Security Officer (CISO) at Northwestern Mutual, discussed how he addresses the challenges of reporting to five different boards – lessons that may be applied by those with similar reporting obligations. In sum: It’s critical first of all to understand the goals of any board, and then to develop the content that addresses the board’s concerns in representing its shareholders. Another task is to recognize the core competencies and appetite for detail of each board member. Because the CISO is responsible for instilling confidence and assuring the board that the organization’s risks are appropriately managed, it’s important to communicate metrics that are effective in addressing the board’s specific information needs. Over time, Mr. Cuffie has identified questions that boards consistently ask, such as “Are we secure enough for our business? Do we enable the business? Are we investing wisely in cybersecurity?” and he recommends using supporting metrics aligned to these questions.
What’s Behind the Questions Boards Ask?
Cybersecurity investment is like buying an insurance policy: Organizations are all seeking the best balance between spending on cybersecurity and mitigating cyber risk. That was the core message of the presentation given by Frank Modruson, former CIO of Accenture and Board Member of both First Midwest Bank and Zebra Technologies, and Ryan Milligan, Partner in ParkerGale and Board Member of ParkerGale portfolio companies. Cybersecurity metrics – and the stories they define – outline the balance between risk and reward. When communicating to the board, the presenters suggest a structure to the message: First, share an understanding of present-day risks and how they are managed. Next, convey the desired future for the organization and use metrics to describe how well the organization is tracking to that plan. Finally, discuss any relevant cybersecurity incidents and reassure the board that the organization is equipped to respond to the next big incident. Mr. Milligan cautioned against reacting strongly to cybersecurity incidents in the news, which could distract an organization from its key priorities.
Meaningful Metrics: Three “Spark Talks”
Finally, I shared some guidance, based on observations from our practice, on how to provide powerful and accurate metrics that convey the right message.
How not to lie with statistics. Data often have a built-in bias; recognizing the bias and working with it is essential to credibility. Metrics can be modeled to tell different stories – different measures of average like mean, median and mode may be experienced by the audience as the same but could shape messages ranging from optimistic to dire. Audiences may assume that any correlation between facts suggests that one variable causes the other, and presenters will want to point out when this is not the case and use sound scientific method when trying to prove causation.
How to spot misleading graphs. A misleading graph may include signs that the data is skewed. If the scale on a chart is broken, differences between measures might seem more dramatic than they are. Data presented on multiple, look-alike charts, but whose scales are not identical, also tell a misleading story. These presentation choices, often made innocently, can damage a presenter’s credibility.
How to select meaningful metrics. Cybersecurity measures are available in great variety via the tools of the profession. However, many companies struggle to select those measures or metrics that are actually meaningful and all too often end up presenting large tables of numbers or metrics just because they can be extracted from the tool. To select those metrics which are meaningful to an organization it’s important to understand the maturity of the capability being measured. As capabilities mature, the object of measurement changes; implementation measures shift to operational efficiency measures and finally to business impact measures, for example.