By Elon Kaplan
“Most of my BOD members have limited or no IT and security knowledge and they come to me for help with any cybersecurity related issue”. That quote came from a good friend, former CIO, who is on the board of a large bank.
How come board members are fully competent making educated decision regarding very complex business, strategy and other domains but feel much less capable when it comes to cybersecurity?
The answer is Metrics.
Without a cyber-scorecard BOD is left with technology ambiguous acronyms, horror stories in the morning papers and increasing budget demands.
So, what should a Cyber-Scorecard include?
Business relevance – all data presented should be related to business units and business assets. No need and no reason to change your business focus and start talking about networks and clouds – all this terminology can and should be translated to your business focus.
Time relevance – what is our status today compared to last month and last quarter. The scale is of lesser importance – understanding the trend is critical.
Level of Threat– very similar to competition analysis knowing who are key opposition (financial hackers, political hactivists) and their objectives (steal money, disrupt operations). Pareto’s rule principle very well here – what was the trend in the bad actors level of activity vis-a-vis our core assets and what is the forecast for the near future.
Quality of defense – the fact that we spent X amount of dollars on a defense technology does not mean it is deployed and functioning properly. The term – Maturity – represents the quality of deployment, operation and management of defenses. A simple score representing the level of current maturity of defenses in each business unit – compared to last month/quarter is more than a good enough measure.
It’s easy to drown you with DATA. What you need is relevant INFORMATION. With just a few indicators the status and required focus can be clear.
Best way to get the picture in a glance is to look at only three indicators for each asset –
Overall status of defenses against threats,
How do we stand compared to last quarter,
What is the potential financial impact we should be prepared for.
What should Cyber-Scorecard enable?
What-If scenario – as a BOD member you are used to requesting sensitivity analysis for a variety of events and outcomes in fields such as finance, regulation, business initiatives and more. Why not with Cyber? To have a comparative Cyber-Scorecard for several alternatives such as alternative investments in security or outcome if we were hit the same way another business reported.
Compare apples-to-apples – risk management is all about hedging and mitigation. Financial comparison of the cost of cyber insurance with the cost of investments in-house and the cost of external service. Using the same Cyber-Scorecard quantified to financial terms enables cost-effective management of cyber risk at a strategic level.
Cybersecurity is not different from any risk-related decision – once you have the relevant information at the level of granularity required – it’s business management 101.
No Powerpoint! No Excel! – first demand from cybersecurity management is continuous monitoring. Spreadsheets and presentations represent long effort in preparing the data for you so it’s tailored and outdated the moment it was presented. Lets sparks, less graphics, more up-to-date data indicates that your cybersecurity manager is on top of things in real time. If he or she presents to you using the same platform they use for their operations and management – you are in good hands.