Factual and accurate: how to get information to the Board
08:00 Thursday, 05 August 2021
UK Cyber Security Council
One of the CISO’s key jobs is keeping management informed about the cyber security regime within the organisation. Many perceive this as a highly difficult task: boards seldom have a great deal of knowledge or understanding of cyber security – particularly the technicalities – and so getting the message across is a non-trivial task.
The CISO is, by definition, highly expert in cyber security. In the area of board reporting this can, however, be more of a drawback than an advantage because the CISO is tempted to write something narrative and qualitative. In fact, the report content needs to be entirely the opposite: it needs to be simple, clear and quantitative.
The first key ingredient in the board report is facts. It is a cardinal sin to use subjective words such as “good”, “poor” or “effective” as they mean nothing. By default, use numbers; if you want to use indicators such as the ubiquitous “RAG” (red, amber, green) then be sure to include a key that clearly shows the meaning of each of the colours.
Some facts on the report will be comprehensible to non-cyber readers: most board members will, for instance, comprehend that zero breaches in a period is good and more than zero is bad. There may be instances, however, where the non-experts’ knowledge is not sufficiently extensive, and it is advisable to put some explanatory notes where you think things might be hard to comprehend. If possible, though, put the notes in an appendix and reference that from the report rather than including them in the main pages/slides and taking up space that could be used for informative data.
The inclusion of hard facts facilitates the most useful ingredient of a board report: trends. Most people in your organisation are “time-poor”, and this becomes more apparent the higher up the organisation one looks. Whether they tell you this or not, the board want your report to show two things: a set of data that gives a comprehensive view of the security posture of the organisation; and a clear subset of that data that they need to care about. Trends are a perfect way to make issues of concern stand out: remediation due dates that slip from month to month, RAG statuses that remain red for several months (or go from red to green). If one shows data over time, the differences leap off the page and the board members see them easily.
There is another key factor in reporting, though, which provides the means to report trends: consistency. If you are showing trends over time, it is imperative that this month’s figures are truly comparable with last month’s – that they were measured in the same way, using the same criteria and data sources. If you are compelled to change the way in which something is measured – because the monitoring software used previously is replaced, perhaps – it is advisable to attempt to retro-fit the legacy data in the report if possible so that the trend makes sense. And if this isn’t possible, the solution is simply to omit the trend and state why on the report.
If one is keeping the report factual, how can the board benefit from the expertise and expert opinion of the CISO? Simple: by asking questions. In an ideal world the CISO will be invited to at least some of the board meetings fairly regularly, and the board members can ask the CISO for clarifications or opinions. The point here is that the board are soliciting those opinions in particular areas in which they are interested, rather than the CISO volunteering them (via the report) is every area – either at the expense of factual data that could have been in that space or by increasing the length of the report to accommodate it.
The approach is simple, then: quantitative and factual showing trends and making it easy for the reader to see what matters most. There is one more consideration one could make with regard to board reporting, though: why are we reporting static data on a monthly or quarterly basis?
If we are aiming to report factual data, the majority of that factual data will be extracted from our systems – malware statistics from the anti-virus software management console, patching/update information from the update server, and so on. Is there any reason, then, why we cannot present this via an interactive dashboard rather than by pasting it into a PowerPoint slide set or a Word document that gets distributed as a PDF?
Such interactive reporting would make everyone a winner: the board can dip in whenever they wish and if the dashboard pulls the data from systems, it reduces the manual load on the CISO. The approach is seldom used, but an attractive one to consider.