Board-Level Cybersecurity Metrics

Boards use metrics to help inform their strategic and oversight functions on finance, market competition, marketing sales, etc. Similarly, oversight of various forms of enterprise risk such as market risk, credit risk, and operational risk have also evolved and progressively moved from qualitative assessments to quantitative assessments. This tool describes how the board can use metrics to assess the effectiveness of cybersecurity programs and offers advice on how boards can leverage them to conduct oversight of their organization’s cybersecurity programs. 

METRIC FOCUS AREAS 

Boards should expect metric-based reporting to focus on strategic, operational, financial/economic, and benchmark figures.

STRATEGIC METRICS VERSUS OPERATIONAL METRICS 

Directors should focus on strategic metrics about the company’s approach to cybersecurity and risk that are provided by the company’s management. While the focus should remain on strategic risks, certain operational metrics can be helpful in assisting the board in understanding critical compliance issues and stimulating useful discussions about trends, patterns, and root causes. Operational metrics can also be helpful with benchmarking when they provide strategic context or information about the impact on business performance and strategic risk positions. It is the role of management to avoid using overly technical concepts and to translate them in business impact terms that the board understands and can use as part of its oversight role.

Below are more detailed questions board members should be asking management to ensure proper metrics are being collected on the enterprise’s cyber risk, grouped in five categories as outlined in Principle 5 of the NACD's Director's Handbook on Cyber-Risk Oversight. Directors will work with management to determine the level of depth required, depending on each organization’s size and circumstances.

1. What is the threat environment we face?

Cyber risk leaders should provide the board of directors with an understanding of the threat environment that the company faces. Examples of good questions to ask include these:

• What are the top threats faced by our industry?
• How impactful have these threats been to our peers?
• How many cyber incidents has our company experienced in the last reporting period?
• Are there any new emerging threats that are affecting our business performance (e.g., trends in ransomware, zero-day-attacks, new attack patterns)? \Are our threat intelligence capabilities adequate, and how do they compare to our peers?

2. What is our risk profile looking from the outside in?

Boards should get an assessment of the company’s security posture from independent sources. Here are some questions that boards should ask:

• What is our vulnerability rating as measured by one of the leading security rating vendors?
• How does our rating compare against the industry benchmark?
• What are the security ratings of our strategic partners and suppliers?
• What are the findings of the latest penetration testing performed by our external provider?
• How mature are our cyber-risk management practices as assessed by a leading cyber consultancy?
• Are there any outside sources for assessing our security posture that we may not be including? What about our audit firm?

3. What is our cyber-risk profile as defined by management?

Boards should expect management to provide metrics assessing the status and the performance of their cybersecurity program. Boards can ask questions like these: 

• How are we performing against basic cyber-hygiene compliance metrics related to the “five Ps” (passwords, privileges access, patching, phishing, and penetration testing)?
• How mature are our cybersecurity practices as measured against a list of established best practices? (For example: NIST CSF, NIST800-53, CIS Controls/NAS9933, CMMC)
• What is the percentage of critical systems downtime and time to recover?
• What is the mean time to detect and remediate cyber breaches?
• What percent of our supply chain failed our cybersecurity assessment?
• Are these metrics acceptable or not? How are they trending? What are our target goals?

4. What is our cyber loss exposure in economic terms?

As cyber risk has emerged as one of the top enterprise risks for most companies, boards and regulators are increasingly expecting companies to assess the frequency and the materiality of cyber events, and to express cyber risk in financial terms, similarly to the other forms of enterprise risk. Questions that the boards can ask are questions like these:

• What are our company’s key assets (“crown jewels”) and how do we measure their value?
• What are the top cyber risks we have as a company?
• What is the probable frequency and the probable magnitude of these top cyber events?
• What cyber risk quantification model or models are we using to assess cyber risk? Have these models been independently validated?
• What are the forms of loss that we can experience, and how are we measuring and reporting on those losses? (For example, productivity, response costs, replacement costs, fines and judgements, reputational loss)
• What is the level of risk that we can tolerate as a business, and how are we tracking against it?
• Is our cybersecurity spending adequate given the threats we face and our risk appetite targets?

5. Are we making the right business and operational decisions?

Boards must understand the cyber-risk implications of strategic business decisions, as they support digital growth or transformation initiatives. Good questions to ask can include these:

• What is the cyber risk that we can incur in launching this new business initiative (such as the launch of a new digital product, moving to the cloud, etc.)? 
• What processes have we established related to making cyber-risk acceptance, cyber-risk remediation, and cyber-risk transfer decisions? 
• What cyber-risk scenarios should we mitigate with internal controls and which ones should we insure against? 
• How much cyber insurance do we need? Does the proposed cyber insurance policy cover us adequately? How has the changing cyber insurance market impacted our risk exposure? 
• What is the cyber loss exposure associated with the new company acquisition? (Reference Tool G for more in-depth discussion of cyber-risk oversight of mergers and acquisitions). 
• What is the return on investment for our cybersecurity program? 
• Which key controls are most cost effective? Which ones are the least cost effective? Are there any (possibly older/outdated) initiatives eating up resources that would be better spent elsewhere?

ADDITIONAL TOOLS