Disruptive technology is changing the game for cybersecurity and risk management leaders, just as it is for business and functional leaders. Artificial intelligence (AI), blockchain, robotic process automation (RPA) and the cloud are changing how companies operate and engage with customers, whose expectations for speed, transparency and personalization are constantly increasing. These changes in technology and customer expectations can create new vulnerabilities.
Beyond the need for companies to detect, repel and recover from increasingly sophisticated threats, there is growing need for organizations to report to their management, boards and outside stakeholders (such as shareholders) on how the organization is being protected from the growing rates of cyber attacks. As these practices mature, risk management and cybersecurity leaders are also challenged to define and deliver the right risk and performance metrics, dashboards and reports.
Five considerations to enhance metrics, dashboards and reporting
Here are five considerations on enhancing cybersecurity risk reporting.
1. It’s all about metrics
Board members and business stakeholders need to see risk metrics in a context they can understand, such as cost and operational impacts (e.g., downtime associated with certain security events). The strongest metrics don’t just relate what happened but also “tell a detailed story,” reflecting both what has occurred (recent events and trend lines) and where the organization is going (relevant forecasts).
Metrics should highlight how quickly the security breach attempts were detected, how resilient the organization was in repelling them and how effective the organization was in recovering after the breach had been detected. Metrics can suggest or promote effective actions (e.g., by identifying preventive steps the business can take to further strengthen protections). Ideally, key risk indicators (KRIs) would be closely linked to key performance indicators (KPIs) for the business. Most organizations will benefit from using a combination of top-down and bottom-up metrics.
2. How to report in the right way
Many large companies already use reporting dashboards, including the “red-yellow-green” formats. While these dashboards provide easy-to-understand “snapshot” views of data, they may not be fully understood by board members or business stakeholders.
Dashboards should avoid reporting for reporting’s sake. Generally speaking, there is greater risk in reporting too much data rather than too little. The more that data and dashboards are tailored and “right-sized” for specific audiences, the more effectively they are able to communicate the organization’s cybersecurity status.
3. Significant data challenges remain
Data accessibility, quality and reliability will determine how effective metrics and even the best-designed dashboards can be depended upon. Most businesses have room for improvement in these areas. Even senior security professionals may spend too much time hunting for data to get the views they need. Data quality issues affect business stakeholders, too.
It is often difficult to assess the completeness of controls, because not all business units, product lines or functions integrate their data with enterprise systems. Still, reporting with imperfect data can be a catalyst for change. Increased automation, which can streamline data collection, enhance data quality and free up time for higher-value analytical work, should be a priority for risk and cyber teams.
4. Education, communication and contextualization are big parts of the job
Board members and business stakeholders must understand both what metrics mean and why metrics matter. This is especially important given the speed at which new threats emerge and existing risks mutate.
Boards need confidence that the data underlying metrics is trustworthy. For instance, tracking the number of cyber attacks and how many have been successfully repelled is somewhat useful, but not necessarily meaningful in highlighting a company’s ability to resist or recover from the most serious attacks. These are among the first steps to building more mature “cyber risk cultures,” in which all functions — especially the first (business lines), second (risk management) and third (internal audit) lines of defense — recognize that they have a role to play in securing assets and protecting the reputation of the business.
5. Think bigger and differently
Reporting metrics and engaging the business remain atop the agenda for cybersecurity teams. Considering that consumers now look to the private sector for security, trust is especially important.
That’s why more organizations are aiming for an approach that ingrains effective risk management and cybersecurity practices into the structure of the business. Engaging product development teams to instill risk intelligence in decision-making about features and experiences is one example where risk leaders are gaining traction with the business. Risk managers and cybersecurity leaders should help define the ground rules and guardrails for use of these technologies.
In this sense, risk management and cybersecurity leaders are no longer tasked exclusively with “playing defense” and stopping data breaches and other bad things from happening. They are thinking strategically and considering whether firms are making risk-informed decisions to act boldly in pursuit of innovation and transformational initiatives.
The bottom line: where cybersecurity is today and where it needs to be tomorrow
The rapid pace of disruption brings new risks and threats for financial services firms. The nature and scale of this change encourages information-sharing among firms in areas ranging from engaging the business, to enhancing the content and format of key reports (including those for the board and regulators), to deciding on the right technologies to deploy. Cybersecurity reporting, metrics and dashboards help organizations to understand their risk posture but also help them to make better-informed decisions as they prepare for the unknown of tomorrow.