"One of the issues we can't stress enough is that to arrive at insight and action ability, it's important that all parties agree on a set of metrics that are objective and consistent. The goal is to paint a clear picture of security performance over time, and to gain context about where your company sits relative to peers and competitors within your industry," Boyer added.
Focus on a fixed set of key indicators, and benchmark performance over time to gain valuable insight into the issues affecting your posture and effectiveness. Moreover, correlate performance changes with key events to gain an understanding about the impact of technology investments, headcount and policy decisions.
In short, shift the conversation from a numbers game to a performance review, as you would in other areas of the business.
As a security executive
Always provide context.
Historical trend data and peer comparisons are key points for helping leaders "get it" when the spotlight is turned on security performance.
Being able to show how your organization compares to others in your industry, provides context that is often lacking from discussions about cyber security. Your board members bring expertise from their personal experience - tying performance metrics back to companies they've managed or advised can help. Demonstrating that your company is more or less secure than others in your sector can help leaders justify strategic changes and investments that can improve your team's effectiveness.
"Context is key when it comes to security performance. If board members hear that overall security is going well, it gives them little information to bring cyber security into strategic decisions. A key way to add context to these discussions is through industry and peer benchmarking. If a security professional can tell the board, 'Here is where we are in relation to our industry and this is what I need for us to improve.' That is a strong and actionable statement," Boyer said.
Tell a story & teach a lesson.
Use this time to train your board members and fellow executives to be alert. Tell them what specific threats are targeting your company, what the attacks look like and what they can do to help avoid a breach.
If a peer has been breached and you fear you might also be a target, explain what conditions existed to allow the attack to happen and what you're doing to make the company more secure. By focusing on specific threats that your company is facing, instead of wants regarding issues you've already handled or the technical specifications of an attack, you can help prevent attacks from spreading.
"While conversations should stay high level when it comes to security, boards should be informed of major threats facing their company. In our recent analysis of the Education sector, we found that the Flashback virus was widespread on college networks," Boyer said.
Sign up for MIS Asia eNewsletters.