3 Metrics CISOs Should Present to the Board and How to Calculate Them
Learn how CISOs (chief information security officer) can leverage financial metrics to communicate cybersecurity success effectively to the board.
Sravish Sridhar, CEO & founder of TrustCloud, discusses key metrics every CISO should track and share with their board to build alignment with leaders and how to calculate them.
For cybersecurity leaders and CISOs, the list of worries that keep them up at night seems endless and only growing longer. While the number one concern will differ from one security professional to another, it’s more likely than not that quarterly board presentations are somewhere near the top of the list.
Strategies for Board Engagement
CISOs lead a pricey business function, typically only getting pricer in the face of the current threat environment. It can be daunting and frustrating to attempt to prove the value and impact of your program to organizational leadership and board members when they often don’t have the expertise or context to understand security fully. It gets even trickier when you go beyond justifying your budget to asking for more to protect your organization properly.
For long, you won’t have the room’s full attention in the quarterly board meeting. And you’ll need to share results that resonate and make sense to leaders of various differing expertise, none of which is likely to be security. So here are the three key metrics CISOs should share in board meetings to speak the same language as those in the room while simultaneously justifying your security program. I’ll also share how to calculate these metrics and ideas for presenting them. Hopefully, after reading this, you can sleep a bit easier, CISOs.
1. Revenue influenced by security and GRC (Governance, Risk, and Compliance) programs
Revenue is among the top priorities and concerns for any business and its board and leadership team. Consequently, calculating revenue influenced by the security program should be a top priority for CISOs when it comes time to present to the board and leadership. A healthy security program should support the business by showing potential customers you are an organization that prioritizes protecting their data and privacy and can be trusted.
“CISOs are often challenged to explain and contextualize security and privacy investments. It’s hard to quantify risk measurement, and most existing tools are simply too qualitative without a clear and comprehensive framework,” said Sheila Gulati, Managing Director at Tola Capital. “By directly tying security programs to potential revenue impact and risk categories, infosec leaders can more clearly articulate the value of their resources. I’d advise any leader today to have a strong system to continuously prove their impact and efficiency.”
Calculating revenue influenced by security
Coming up with this metric is pretty simple. This will measure every new customer that has evaluated your security and privacy posture. Look at the accounts that interacted with your security and privacy program through a security questionnaire or compliance status and measure it over 90 days. Present this by showing:
- Number of opportunities/accounts that interacted, viewed, or asked for security and compliance information
- Show the total associated contract value from contracts that were won
- You can also measure how long it took your team to complete and review security questionnaires and materials so leaders can see how responsive you are toward potential / new customer asks.
By showing this metric, the board and leadership will begin to understand the value of security and privacy investments from the perspective of revenue that has been positively impacted and, in some cases, accelerated by your security program. Instead of seeing security and compliance as a box that is either checked or not, highlighting customer requests for security information demonstrates just how critical a successful security program is.
2. Financial impact of risk
For CISOs, the stakes are always high. You are responsible for reducing risk and liability for your entire organization. The board and leadership care about risk but may not always understand how it should be prioritized and managed. Quantifying the potential impact of risk financially can create a better understanding and alignment with leadership on goals and investments related to reducing liability and risk.
According to Dan Walsh, CISO and Advisor at Paxos, “Calculating residual financial impact allows CISOs to more clearly communicate why risks matter and which ones need attention and investment today. This is critical to running an effective GRC program and showing leadership how you’re protecting the entire business.”
See More: The New Network Security Debate – Best of Breed, Portfolio, or Platform
Calculating the financial impact of risk
To calculate this metric, you must identify specific loss events, their likelihood, and the potential impact. This will need to be done manually and involve considering the true costs for each potential event, including business interruption, reputation damage, and payouts. This will include identifying primary and secondary losses. Here are some examples that may be relevant to consider for each:
- Primary Loss:
- Direct financial loss or payment
- Loss of business due to disruption of service
- Cancellation of future deals
- Repair and remediation costs
- Regulatory fines
- Reputation damages
- Secondary Loss:
- Legal and consulting costs
- Increased cyber coverage and insurance
- Lost productivity due to risk incident
After calculating the financial cost of each of these risks, you can present the potential financial impact. By tracking this number, your leadership will begin to understand:
- How much cyber insurance is needed
- If the cybersecurity budget should be expanded (and how X amount of budget is protecting against Y amount of financial liability)
- If budget cuts do need to be made, how much financial risk will be added by doing so
3. Budget allocated vs. Budget requested
After showing the board how your budget has been used to influence revenue and reduce financial liability, you can highlight the impact and importance of your budget by showing the budget allocated vs. requested.
“The best CISOs I have worked with have taken the time to clearly explain the business reasons behind why they need additional investments or reallocation of budget to improve the company’s security posture,” said Bob Brennan, Chairman at BitSight. “If I understand why and how they plan to drive positive business impact and growth for the business, I’m in.”
Calculating budget allocated vs. Budget requested
First, you’ll need to add up the total budget for your program (including tech spend, employees, etc.). Working with the finance team can help. With this number, you can make the case for additional resources if needed. First, identify and define risks requiring additional budget, explaining why they threaten the business. Next, measure the financial impact of these risks. Lastly, outline the plan to mitigate these threats, specifically how much of the budget will be required and how long it will take.
You can then present these metrics to the board by showing:
- Potential Financial Impact
- Residual Financial Impact
- Budget Allocated
- Budget Requested
By delivering context alongside budget requests, leadership can better understand why an investment is needed and how it would be used to protect and support the organization.
Communicating In Dollars and Sense
Instead of presenting the board with metrics related to cybersecurity acronyms they may not understand, CISOs can break through and communicate more clearly when metrics are focused on financial terms. These three metrics can showcase that security and GRC aren’t cost centers but support generating revenue, protecting reputation against risk and liability, and are used to earn and keep customers’ trust. Speaking the same language as those in the board meeting and giving the right context will justify your program and budget.
How can CISOs build trust with the board? Let us know on Facebook, X, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON CISO (chief information security officer)
