- Robert H. Jackson, Global Chief Information Security Officer, Sedgwick
- Peter Singh, Executive Officer - IT Services, Toronto District School Board
- Jeff Tandy, Senior IT Security Specialist, General Dynamics Land Systems Canada
- Kelly Walsh, CIO, College of Westchester
- Kevin Yenglin, Information Security Manager, Rehmann
- Three anonymous contributors
- Board-level presentations are a rare opportunity for Security and the Business to understand each other’s viewpoints and the things they care about, and metrics are a good way of quantifying successes and shortcomings.
- But because both sides think in different terms, reaching this understanding can be easier said than done. In effect, there is a language gap between the Business and Security that can have a detrimental effect on business-security alignment.
- Out of all the metrics your security program tracks, how do you decide which ones are important enough to share with the board?
- Once you’ve made that decision, how will you explain those metrics in terms that will be meaningful to the board?
- The best way is to aggregate your individual, low-level metrics into larger groups that are easily digestible by the board.
Impact and Result
- Learn to view your individual metrics as component parts in a larger story about your organization’s security posture.
- Decide what message the business needs to hear in order to appreciate the security program’s successes and areas for improvement.
- Strategize ways of using those groups to tell a broader story about risk, allowing you to bridge the language gap between security and business leaders.
This guided implementation is a two call advisory process.