This is the fourth in our series sharing thought pieces from the CISO Desk Reference Guide: A Practical Guide for CISOs, volume 1. In the following excerpt from Gary Hayslip’s essay for Chapter 4, Gary talks about the CISO’s need to present the right narrative to management. Please enjoy.
To Tell a Story with Metrics, Report It!
With metrics and dashboards, we are collecting information and measuring it against a known quantity. Then we display it in dashboards to monitor and track trends to make effective strategic business decisions. However, there is a third component that these two data elements feed: security reports. As CISO, you will create security reports for your executive management. These reports will describe the effectiveness of their cybersecurity investment, the health of your security program, and any information on specific topics requested by your board of directors. As CISO, you will also receive reports from your teams and your partners, vendors, and compliance professionals. This diverse collection of reports leads us to our last discussion: “What types of reports should a CISO create to educate executive management and sponsor a more resilient, cyber-aware corporate culture?”
As the CISO of an organization, the information you are collecting to help you manage your security and risk programs may mean little to your executive management team. However, this doesn’t mean your actions are not valuable to the organization. Instead, I believe it demonstrates that when you write your reports, you will need to put your information into the context of the audience. Remember, your message should be to educate, influence, and inform.
As a CISO, the reports you create, manage, contribute to, and analyze will typically fall into one of two primary categories. These report categories are technical reports and executive reports. You will create the technical reports for an IT/technical audience. These reports will predominantly contain daily, weekly, or standard operational data about your teams’ work for the organization’s benefit. Examples of these types of reports are “Daily Maintenance Reports,” “Weekly Data/Threat Analysis,” and “Server Remediation Updates.”
The key here is to generate these reports for a technical audience within your business unit, intending to refrain from distributing them to executive management. Executive reports, however, are a different breed of information-sharing for a CISO. So, we write these reports for an audience whose primary drive is to maximize shareholder value and ensure the viability and profitability of the organization. This audience will require you to use a different approach to what subjects you report to them and to present this information efficiently, non-technically, and with a business focus.
So, let’s discuss some of the reports I have presented, as a CISO, to executive management and boards to inform them of the business’s cybersecurity and risk portfolios. One of the first reports I created as a CISO and still use today is the “framework/maturity report.” You base this report on the established framework (NIST CSF, ISO 27002, COBIT) used to build your cybersecurity program. Whichever framework you select, it will have domains with specific security controls that you will grade the organization against to get a baseline cybersecurity risk score. This “framework/maturity report” will be the company’s report card on its cybersecurity initiatives.
When I report to the board of directors, I like to convert it into visuals such as pie charts or bar graphs so they can easily see where we currently are concerning the threats we face or the gaps we are working to close. What is nice about this report is that you can use it as a quarterly progress report to demonstrate how your projects, new work processes, and new technologies improve the risk baseline score over time. This report can also help answer questions like, “How secure are we?” or “How effective have you been with the resources we have given your program?”
I have provided several other reports to boards of directors that are standard for CISOs. However, one that I have found many boards and executive management teams request is “Current Risks.” What are the current risks we face? What attacks or cyber incidents have we seen in our organization, area, and industry? I have brought in guests from law enforcement and security agencies to provide threat briefings for this report. These briefings are a great resource to give the data in these reports some context and help them understand the impact of doing business in an interconnected world with its evolving threat landscape. We do not mean to generate fear with this report; instead, it is to educate so that you and the executive team can work as partners and make strategic decisions with known technical risks out in the open.
Another type of report that you, as CISO, will own and must manage is for compliance. These individual reports will require information that ties into our previous discussions on your organization’s data, the industry verticals your company competes in, and any mandatory regulatory requirements. As with the framework/maturity report, compliance regimes will have their lists of specific security controls that the company must follow, and this report will be the grade card on how you are meeting these obligations. I use the same techniques with the framework/maturity report when presenting compliance reports to executive management. I like to have visuals that display the organization’s compliance efforts in a relevant, comprehensive format that is easy to understand.
One last report I will discuss is the “Incident Response” report. You can deliver it in two ways to executive management. The first is an after-action report on the status of a recent cybersecurity incident. In this context, you will want to keep the information concise and to the point. State what happened, how it happened, the extent of the damage, what risk there is to the company, what you learned from the incident, and what will be required to fix the issue to ensure it doesn’t happen again or to be more realistic, if it does happen the impact will be lessened and more manageable.
The second type of “Incident Response” report I have sometimes provided contains statistics on a business continuity/incident response training exercise. Here the information is focused on how quickly the teams could be activated, how fast the secondary data center was active with copies of data, and recommendations for improvement. As you can see from the examples of executive reports I have provided, they deliver a more global view of the organization concerning cybersecurity and risk, and they demonstrate how the cybersecurity program offers value to the business.
As CISO, you will experience intense scrutiny from the organization on the services you and your teams provide to the business. To answer the questions and requests that will come your way, you must continually balance your security program’s efficiency and effectiveness to ensure it provides value. To do this competently, you must understand the metrics and data you collect, why you gather this information, and how it relates to the organization’s business operations. You will need to use custom dashboards to make the data relevant to your audiences, you will use these dashboards as strategic tools, and you will develop reports to educate executive management.
These three core instruments (metrics, dashboards, and reports) are in your CISO toolbox and are critical for your security program and the viability of your organization. So please educate yourself on how to use them, do not be afraid to request assistance from other business units to help develop them, and be proud to tell your team’s story about how cybersecurity is essential to your company’s success.