terminal screen filled with cybersecurity metrics and alert notifications

Enhancing cybersecurity metrics: CISO strategies

Photographic portrait of Brian DePersiis
Brian DePersiis

EY Americas Cybersecurity Strategy Leader

7 minute read 07 Aug 2025
Related topics
Cybersecurity
Consulting

Cybersecurity is a board-level concern, yet many chief information security officers (CISOs) struggle to translate technical risks into actionable insights for directors.

In brief

  • CISOs must shift from static metrics to risk-informed reporting that aligns with board oversight and business strategy.
  • Effective board communication requires clear, value-driven insights that reflect risk appetite, evolving threats and mitigation progress.
  • Translating technical data into business impact builds trust, supports governance and strengthens cybersecurity’s role as a strategic enabler.

Special thanks to Jay Nambi, Brandon Bapst and Pengfei Wang for contributions to this content.

When asked by CISOs: What are the top X cybersecurity metrics we should report to the board? The answer is not straightforward. Instead, effective reporting should focus on risk appetite, business alignment and enabling board oversight responsibilities as a part of the broader cyber risk management program rather than an arbitrary list of standard security metrics. This article provides a structured approach for CISOs to develop meaningful cybersecurity conversations that support board-level responsibilities. This also aligns with contemporary CISOs using metrics that matter to build better relations with their boards and serve as champions of protection to the firm.

Understanding the board’s perspective

Boards are responsible for governance and risk oversight, not operational management, which is delegated to senior management. For example, the board establishes that a cybersecurity risk management program is in place, aligns with the organization’s risk appetite and is regularly reviewed, but it does not make day-to-day security decisions. They need to understand whether the organization is within its risk appetite and has the necessary resources to manage cybersecurity risks effectively. Questions from board members should center on:

  • What digital assets are most critical to our competitive advantage and what level of compromise could we realistically withstand?
  • How much operational downtime can we endure before significant impact to customer trust, safety or business performance?
  • What would a major cyber event cost us — not just financially but in terms of market position, legal exposure and brand reputation?
  • Are we strategically leveraging technology and digital innovation while staying within our acceptable cyber risk thresholds?
  • Is our cyber program adequately resourced to keep pace with both current threats and our digital transformation goals?
  • What evolving threats or regulatory changes could materially impact our operations in the next 12–24 months?

How EY can help

Structuring cybersecurity metrics and insights for the board

 

To effectively communicate cybersecurity risks and the organization’s security posture, CISOs should provide the board with regular, structured updates. These updates should offer a clear, ongoing assessment of the organization’s cybersecurity health and emerging threat landscape. The insights below are illustrative examples.

 

  • Intelligence-driven assessment of external threat landscape: Correlate intelligence-driven assessments of the external threat landscape, including emerging threats, to the potential impacts on internal business operations. The key question to answer is: What matters and why?
    • The rise of AI-driven cyber attacks heightens the likelihood of attackers gaining initial access to environments, leading to severe business interruptions. Ransomware or destructive attacks can result in significant financial losses and data breaches, including sensitive R&D and personally identifiable information (PII), eroding trust and causing lasting reputational damage.
  • Risk appetite alignment: Percentage of key risks within business-approved thresholds and risk tolerance levels. This includes a clear understanding of what is material to the business and should align with a holistic resiliency strategy resulting in safeguarding that the required enterprise protection capabilities are in place.
    Illustrative metrics examples relate to cyber and operational risk management such as risk appetite indicator (RAI) scores for each business unit or division:
    • For example, if an organization or business unit defines its risk appetite as tolerating no cyber risks that could lead to a financial loss exceeding $50 million (classified qualitatively as above “low”), it is crucial to maintain a prioritized list of top business concerns and risks. This list should be regularly analyzed to evaluate whether the estimated probability and potential loss magnitude of identified risks could breach this threshold. For instance, one significant risk might be a “disruption to customer products due to a ransomware attack, resulting in loss of availability.” In this case, the organization would need to assess the likelihood of such an attack and the potential financial impact to determine if it aligns with their risk appetite.
  • Compliance and regulatory status: Alignment with frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), International Organization for Standardization 27001 (ISO 27001), System and Organization Controls 2 (SOC 2) framework, industry-specific regulatory requirements and SEC disclosure requirements. Examples of metrics include conformance to requirements for pertinent regulations.
  • Risk mitigation progress: It is imperative to demonstrate the progress of key investments intended to reduce risk exposure, typically by way of performing periodic independent assessments of the maturity of your cyber program, with read-outs made directly to the board. Cyber metric examples may include the percentage of major risk mitigation efforts on track, along with additional projects that could be funded and their projected risk reduction impact. This includes linking mitigation efforts to overall business risk posture, demonstrating how investments align with strategic objectives and reduce exposure to critical threats. This helps manage risk within appetite and navigate emerging threats. 
  • Value-centric operational cybersecurity metrics: Traditional operational key performance risk indicators (KPIs) and key risk indicators (KRIs), while informative, should not be the centerpiece of cyber risk discussions at the strategic level. However, including a few operational metrics in an appendix can be valuable for deeper dives or to address specific stakeholder questions. The primary focus should be on designing operational cybersecurity metrics that are aligned to business value and support tactical decision-making. These metrics should help translate technical performance into meaningful insights that inform action, demonstrate impact and reinforce the cybersecurity function’s role as a business enabler. We will explore this topic, value-centric operational cybersecurity metrics, in greater depth in an upcoming thought leadership piece. For now, the visual below illustrates a framework for structuring and communicating value-centric cybersecurity measurements, rooted in business strategy and informed by real-world inputs.
cyber metrics board reporting mobile
cyber metrics board reporting

Key considerations for effective cybersecurity communication and relationship development

Conclusion

CISOs must transition from traditional static cybersecurity metrics and embrace a risk-informed approach to board communication. By prioritizing proactive and reactive metrics that align with business objectives, CISOs can facilitate strategic, insightful and actionable discussions on cybersecurity at the board level. Ultimately, effective cybersecurity reporting should empower the board to fulfill its oversight responsibilities and make informed decisions that align with the organization’s risk appetite and enhance long-term resilience.


Summary

Cybersecurity reporting is most effective when it aligns with business strategy, communicates risk in plain language and supports board oversight. By focusing on risk appetite, evolving threats and measurable progress, CISOs can foster trust and enable informed decision-making at the highest level.

About this article

Photographic portrait of Brian DePersiis
Brian DePersiis
EY Americas Cybersecurity Strategy Leader
Passionate about providing strategic advice in the context of EY clients’ business imperatives to address their most critical cyber risks. Dedicated husband, father of two daughters. Yogi and golfer.
Related topics
Cybersecurity
Consulting

Related article

Cyber study: How the C-suite disconnect is leaving organizations exposed

A 2025 EY study shows a consensus on the importance of cybersecurity among executives and a correlation between share price declines and cyber breaches.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.