Organizations can spend a lot of money on cybersecurity, where the people, processes and tools all need to work together. Cyber threats are constantly changing, which means toolsets are changing as well, and cyber professionals need constant training. They also need ample time to participate in cyber communities where information about ever-more sophisticated threats is shared.
When executive leaders are asked for new funding for cyber resources and tools, but the organization has not had a significant breach, they may question whether all the investments are warranted. It may seem as if they are throwing good money to programs that need to be reined in.
But why is this? Clearly, everyone knows that a data breach can be costly. Yet the executive team needs to effectively manage all resources. So, when a cybersecurity program is working well, how can executives know when and why to make more investments?
Last year, I had an opportunity to brief a corporate board on their security program. This board had been very supportive of cyber efforts, but wanted to better understand the program and investments being made. To illustrate the cyber defense program, executive cyber dashboards were presented that identified the cyber tools being used, what type of intrusions they monitored and prevented, and the number of blocks made over a given quarter. Immediately, every board members’ eyes were open to what was happening on a daily basis, and they had a much better appreciation for why the program is so important - and why the investments were needed.
These simple executive dashboards also provided information on the number of intrusions blocked as a result of participating on cyber information sharing communities where newly evolving intrusion types are often discussed. The board was able to see clearly how important it is to participate in those activities. When the board asked about the number of blocks made to e-mail spear-phishing, we were able to have a discussion about why those appeared and the importance of continuous employee training. Suddenly, the conversation shifted to, “Are we investing enough in cyber training?”
Cyber dashboards are a great way to educate all levels of the organization on how a cyber program is protecting the organization. The type of dashboard and the information presented is important. For executive cyber dashboards, keep in mind the following:
- Know your audience: Create a dashboard catered to what your audience cares about and can absorb. Avoid tool-based dashboards (e.g., providing details on log-in failure attempts and trends) that provide too much detail. You will get stuck in discussions on details that don’t help with decision making.
- Illustrate the daily challenges: Show a summary of what your people, tools and processes are faced with on a daily basis. This can include metrics around the tools used and the number of threats stopped, and will help keep operational investments prioritized.
- Show the vulnerabilities/highest risks: Illustrate where cyber program weaknesses exist (people, processes and tools). This will keep budget needs prioritized on the right activities. Transparency in vulnerabilities is important to any cyber program and executives need to be kept informed at all times.
Like any cyber investment, developing dashboards does not guarantee protection from a cyber breach, but it certainly will help measure the program with the right transparency and educate those who need to make those important investment decisions.