Security icon

Forge an Ironclad Reporting Strategy for Security Metrics

Help the board understand what they need to know – no more, no less.

Get Instant Access to this Blueprint

View Storyboard

Solution Set Storyboard Thumbnail


  • Robert H. Jackson, Global Chief Information Security Officer, Sedgwick
  • Peter Singh, Executive Officer - IT Services, Toronto District School Board
  • Jeff Tandy, Senior IT Security Specialist, General Dynamics Land Systems Canada
  • Kelly Walsh, CIO, College of Westchester
  • Kevin Yenglin, Information Security Manager, Rehmann
  • Three anonymous contributors

Your Challenge

  • Board-level presentations are a rare opportunity for Security and the Business to understand each other’s viewpoints and the things they care about, and metrics are a good way of quantifying successes and shortcomings.
  • But because both sides think in different terms, reaching this understanding can be easier said than done. In effect, there is a language gap between the Business and Security that can have a detrimental effect on business-security alignment.

Our Advice

Critical Insight

  • Out of all the metrics your security program tracks, how do you decide which ones are important enough to share with the board?
  • Once you’ve made that decision, how will you explain those metrics in terms that will be meaningful to the board?
  • The best way is to aggregate your individual, low-level metrics into larger groups that are easily digestible by the board.

Impact and Result

  • Learn to view your individual metrics as component parts in a larger story about your organization’s security posture.
  • Decide what message the business needs to hear in order to appreciate the security program’s successes and areas for improvement.
  • Strategize ways of using those groups to tell a broader story about risk, allowing you to bridge the language gap between security and business leaders.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop a risk-based reporting strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Develop a risk-based reporting model

Deliver a strong metrics presentation to the board by presenting data in terms of business risk.

Guided Implementations

This guided implementation is a two call advisory process.

Call #1 - Start with a winning reporting strategy.
Call #2 - Learn to communicate through risk-based terms.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019