5 minute read 1 Mar 2019
Programmer laptop server room working

Five considerations for cybersecurity reporting


Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.

5 minute read 1 Mar 2019

We explore how cybersecurity leaders can embed leading-edge security practices and risk intelligence within key operations and processes.

Disruptive technology is changing the game for cybersecurity and risk management leaders, just as it is for business and functional leaders. Artificial intelligence (AI), blockchain, robotic process automation (RPA) and the cloud are changing how companies operate and engage with customers, whose expectations for speed, transparency and personalization are constantly increasing.

Beyond the need for companies to detect, repel and recover from increasingly sophisticated threats, there is growing need for organizations to report to their management, boards and outside stakeholders (such as shareholders) on how the organization is being protected from the growing rates of cyber attacks.

Models such as Trust by Design is an approach that can both enrich relationships with customers and strengthen protections for digital assets and their associated brand. Trust by design reflects the idea that digital security is an enabler of – rather than a barrier to – growth.

Cybersecurity leaders must enhance the quality and integrity of data and educate the business on what metrics matter and why they matter – and do so with the urgency today’s consumers demand.

Here are five considerations for risk management and cybersecurity leaders to consider as they work to enhance their metrics, dashboards and reporting capabilities based on our experience in helping a diverse range of financial services organizations.

1. It’s all about metrics

Board members and business stakeholders need to see risk metrics in a context they can understand, such as cost and operational impacts (e.g., downtime associated with certain security events). The strongest metrics don’t just relate what happened, but also “tell a detailed story,” reflecting both what has occurred (recent events and trend lines) and where the organization is going (relevant forecasts). Probability estimates relative to security events can be an effective metric for capturing the attention of business leaders.

Beyond communicating how many breach attempts the company experiences, metrics should highlight how quickly the breach attempts were detected, how resilient the organization is in terms of repelling them and how effectively the organization is in recovering after the breach has been detected. Better still, metrics can suggest or promote effective actions (e.g., by identifying preventive steps the business can take to further strengthen protections). Ideally, key risk indicators (KRIs) would be closely linked to key performance indicators (KPIs) for the business.

2. Implement product and service management

Most financial services firms already use dashboards, including “red-yellow-green” formats. While these provide easy-to-understand, “snapshot” views of data, they may not be fully understood by board members or business stakeholders. The key is educating those groups on what the metrics mean, so directors can ask the right questions related to issues identified by the data (see the next point), which in turn helps instill a more risk-aware culture.

Dashboards can help show progress in the use of higher quality or more timely data. It’s never too late to build a better dashboard or consolidate existing ones. In other words, smarter dashboards clearly illustrate the value of better data and metrics.

3. Significant data challenges remain

Data accessibility, quality and reliability will determine how effective metrics and even the best-designed dashboards can be depended upon. Most businesses have room for improvement in these areas. Even senior security professionals spend too much time hunting for data and reworking spreadsheets to get the views they need. Data quality issues affect business stakeholders, too. When there is low confidence in underlying data, executives will be skeptical of metrics and reports.

There is a clear and pressing need to increase the confidence level in data integrity. Increased automation, which can streamline data collection, enhance data quality and free time for higher-value analytical work, should be a priority for risk and cyber teams. 

4. Education, communication and contextualization are big parts of the job

Even well-defined, digestible metrics and the sharpest dashboards may need to be contextualized for the business. Board members and business stakeholders must understand both what metrics mean and why they matter. This is especially important given the speed at which new threats emerge and existing risks mutate.

Further, they need confidence that the data underlying the metrics is trustworthy. For instance, tracking the number of cyber attacks and how many have been successfully repelled is somewhat useful, but not necessarily meaningful in highlighting the company’s ability to resist or recover from the most serious attacks.

5. Think bigger – and differently – to enable trust by design

Reporting metrics and engaging the business remain atop the agenda for cybersecurity teams, but forward-looking leaders are considering how increased risk intelligence can add to the business. Considering that consumers now look to the private sector for security, trust is especially important. In fact, “trust” may be consumers’ top metric for evaluating and deciding who they want to do business with.

That’s why more organizations are aiming for trust by design, an approach that ingrains effective risk management and cybersecurity practices into the texture of the business. Engaging product development teams to instill risk intelligence in decision-making about features and experiences is one example where risk leaders are gaining traction with the business. 


Cybersecurity leaders and teams have a great deal on their plate, but play an essential role in protecting company assets and reputations and an increasingly important one in building trust-based relationships with customers. Cybersecurity reporting, metrics and dashboards, assist organizations in understanding their risk posture, but also help them to make more information decisions as they prepare for the unknown of tomorrow.

About this article


Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.