Cybersecurity leaders must enhance the quality and integrity of data and educate the business on what metrics matter and why they matter – and do so with the urgency today’s consumers demand.
Here are five considerations for risk management and cybersecurity leaders to consider as they work to enhance their metrics, dashboards and reporting capabilities based on our experience in helping a diverse range of financial services organizations.
1. It’s all about metrics
Board members and business stakeholders need to see risk metrics in a context they can understand, such as cost and operational impacts (e.g., downtime associated with certain security events). The strongest metrics don’t just relate what happened, but also “tell a detailed story,” reflecting both what has occurred (recent events and trend lines) and where the organization is going (relevant forecasts). Probability estimates relative to security events can be an effective metric for capturing the attention of business leaders.
Beyond communicating how many breach attempts the company experiences, metrics should highlight how quickly the breach attempts were detected, how resilient the organization is in terms of repelling them and how effectively the organization is in recovering after the breach has been detected. Better still, metrics can suggest or promote effective actions (e.g., by identifying preventive steps the business can take to further strengthen protections). Ideally, key risk indicators (KRIs) would be closely linked to key performance indicators (KPIs) for the business.
2. Implement product and service management
Most financial services firms already use dashboards, including “red-yellow-green” formats. While these provide easy-to-understand, “snapshot” views of data, they may not be fully understood by board members or business stakeholders. The key is educating those groups on what the metrics mean, so directors can ask the right questions related to issues identified by the data (see the next point), which in turn helps instill a more risk-aware culture.
Dashboards can help show progress in the use of higher quality or more timely data. It’s never too late to build a better dashboard or consolidate existing ones. In other words, smarter dashboards clearly illustrate the value of better data and metrics.
3. Significant data challenges remain
Data accessibility, quality and reliability will determine how effective metrics and even the best-designed dashboards can be depended upon. Most businesses have room for improvement in these areas. Even senior security professionals spend too much time hunting for data and reworking spreadsheets to get the views they need. Data quality issues affect business stakeholders, too. When there is low confidence in underlying data, executives will be skeptical of metrics and reports.
There is a clear and pressing need to increase the confidence level in data integrity. Increased automation, which can streamline data collection, enhance data quality and free time for higher-value analytical work, should be a priority for risk and cyber teams.
4. Education, communication and contextualization are big parts of the job
Even well-defined, digestible metrics and the sharpest dashboards may need to be contextualized for the business. Board members and business stakeholders must understand both what metrics mean and why they matter. This is especially important given the speed at which new threats emerge and existing risks mutate.
Further, they need confidence that the data underlying the metrics is trustworthy. For instance, tracking the number of cyber attacks and how many have been successfully repelled is somewhat useful, but not necessarily meaningful in highlighting the company’s ability to resist or recover from the most serious attacks.
5. Think bigger – and differently – to enable trust by design
Reporting metrics and engaging the business remain atop the agenda for cybersecurity teams, but forward-looking leaders are considering how increased risk intelligence can add to the business. Considering that consumers now look to the private sector for security, trust is especially important. In fact, “trust” may be consumers’ top metric for evaluating and deciding who they want to do business with.
That’s why more organizations are aiming for trust by design, an approach that ingrains effective risk management and cybersecurity practices into the texture of the business. Engaging product development teams to instill risk intelligence in decision-making about features and experiences is one example where risk leaders are gaining traction with the business.
Summary
Cybersecurity leaders and teams have a great deal on their plate, but play an essential role in protecting company assets and reputations and an increasingly important one in building trust-based relationships with customers. Cybersecurity reporting, metrics and dashboards, assist organizations in understanding their risk posture, but also help them to make more information decisions as they prepare for the unknown of tomorrow.
