All the following aspects of your upstream communication will directly impact your departments, the boards confidence in you and your teams and most importantly the annual budget. As 2020 ends it will be more important than ever to have clearly defined objectives for the following year. However, defining the new requirements placed on your organization by the pandemic response may leave you less than completely prepared for the next steps. Sparity can help you meet your objectives by working to provide the data you need to better define and explain the following.

 

Intrusion Attempts

Make sure you explain the difference between “compromise” and “attempt.” Malicious actors will always attempt to gain entrance to data, the question is where cybercriminals focus their attacks and your ability to prevent them.

How to explain Mean Time to Detect (MTTD)

The main information you need to give your Board about this metric is: the time was short. The faster you can detect a risk, the more rapidly you can mitigate the threat. If you have a dashboard does in show that you continuously monitor and maintain a consistent security rating, then you can easily explain the link between the two. Chances are, your Board can easily see that you maintain a robust security posture as long as you can say, “we were able to detect security threats within hours, meaning that we were able to mitigate them rapidly to prevent additional risk to the organization.” If you can not confidently say this, then it may be time for a red team penetration test to both train and improve your posture.

How to explain Mean Time to Respond (MTTR) and Mean Time to Contain (MTCC)

Unfortunately, despite the best detection methods, malicious actors will more likely than not find a way to infiltrate your organization’s security defenses. Either because of network changes due to the pandemic or because the cadence of patch management has accelerated beyond current ability of systems and staff. Response time, then, becomes the next most important metric for your dashboard. The 2019 IBM Cost of a Data Breach report noted that employing artificial intelligence (AI) platform reduced the costs of a data breach by $230,000 on average. With an AI platform, you can gain real-time visibility into the threat vector associated with the security incident, meaning that you can more rapidly respond to the threat.

If your security rating platform provides visibility into the risk factor associated with the security incident, you can prove how rapidly your team responded. For example, if the cybercriminals gained access to your systems using a cross-site scripting attack and your platform reviews for web application security as a risk factor, you can easily see the lowered score to respond directly to that issue. Then, you

can monitor the risk factor and provide the increased score post-response as a metric for proving rapid response time. Additionally, the improved score gives a metric that provides the Board confidence over your ability to contain the threat. If the improved, post-incident risk factor score stays stable, you can show that the threat has been successfully contained.

How to explain patching cadence

Proving that all systems are continuously updated according to best practices can be challenging. The increase of large-scale data breaches are the results of a cybercriminal the ability for lateral movement within the network possibly from a single unpatched server. With a security rating platform that monitors patching cadence across all endpoints, you can gain insight into how well your organization maintains its patching cadence. A high score for that risk factor indicates that you are appropriately updating all devices, systems, networks, and software to mitigate risk. With this metric, you can tell the Board that your teams’ ability to view all these locations and effectively update them lowers their financial and reputation risks.

How to explain vendor risk management effectiveness

Hopefully, your contracts enable you to review all your 3rd party vendors in the same way that you manage your own security. Often, organizations lack visibility into their supply chain risk. An IBM Cost of a Data Breach Report noted that breaches caused by third parties cost $370,000 more than other breaches.

If you are annually monitoring your supply chain, you can give your Board confidence over technology decisions. In the same way that you use these metrics to prove your own cybersecurity posture, you can prove governance over your vendors. Not only can you show the Board that your contracted resources are secure, but you can also give data surrounding your monitoring and relationship with them, including your communications with them, willingness to support your compliance efforts and their response times.

How does the organization compare to its industry peers?

Annually, Boards of Directors review their position within their market. Annual cybersecurity assessments, required by legislation or otherwise, enhance your ability to gain insight into how well you compare with others in the marketplace and enhance annual financial planning for the IT/Cybersecurity budget.

If the corporate Cybersecurity Maturity Model (CMM) rating is lower than that of a peer, you can drill down into the risk factors associated with the ratings. Worse yet, your score may have been reduced by drastic infrastructure changes in order to operate effectively due to remote workers. If one risk factor is causing the difference, then you can more easily report to your Board about how to improve the score and the budget they need to allocate to meet the market-level standard.

On the positive side, if your security ratings are stronger than peers, you can explain to your Board that you manage cybersecurity risks more effectively than your competitors do. Drilling down to the individual factors across your industry allows you to show your cybersecurity expertise and gives the Board confidence in your abilities as a CISO. Additionally, you can use these CMM scores as metrics to prove your ability to maintain effective information security controls as the Board looks toward new business objectives such as cloud migration.