Use Security Metrics to Present a Strong Action Plan
- When presenting security metrics to the CEO or board, a CISO should give them confidence that a strong action plan for
responding to incidents is in place.
- The human element of information security is also important to highlight, so it’s wise to share metrics on security awareness training.
“That’s how they’ll know how secure we really are, because it is not a question of if, but rather of when a malicious event will occur.”
If the chief executive officer (CEO) asks, “Just how secure are we?”, David MacLeod says, “My answer focuses on how quickly I know that a breach occurred, what we’ve done to ensure that the alarms will go off when they should, that we’re alerted when any kind of an anomaly happens that could possibly be an incident that is either security or privacy related, and that we have planned in advance how we are going to respond.”