Imagine the United Nations General Assembly with no translators—and people speaking dozens of different languages. That’s what it can be like when security teams share metrics and data with their organization’s board of directors.
The communications gap leaves many CISOs struggling to explain the value of security investments—and if security professionals can’t communicate that value, they run the risk of falling out of sync with business priorities, managing misaligned expectations or giving leaders a false sense of confidence about security readiness.
The good news is when it comes to cybersecurity, boards recognize the importance of engaging on cybersecurity issues and are becoming more sophisticated on the topic. According to Gartner, by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today. But there continues to be a gap between the day-to-day metrics of a security program and the board priorities.
Lost in Translation
Fortunately, there are metrics that make sense and matter to both teams, so everyone can speak the same language—no translators needed. These metrics produce insights that boards and security teams can act on together while taking into account people, processes, and technology.
At their core, boards approve the strategic direction of an organization as well as how the organization allocates resources and mitigates risk. Security leaders have to present metrics that align with business objectives to make an impact at the board level. Here’s why many security metrics often fall short of this goal:
Metrics such as the number of daily phishing alerts don’t provide context—that is, they don’t inform CISOs if the numbers are good news or bad news. If metrics don’t point to next steps such as changing processes, better configuration of products or identifying opportunities for automation, the path to action is unclear.