Metrics And Industry Comparisons Create A Complete Security Picture
- Focusing on operational metrics may allow you to present impressive numbers, but it will do nothing to tell the CEO just how secure the organization is, so it’s important to focus on critical metrics that have deeper meaning.
- When communicating security levels to the CEO, focus on a comparison with other companies within your industry and your region as a way to illustrate security levels and your ability to resist or respond to attacks that have created issues with those other companies.
“Every organization has its own appetite for risk and an acceptable level of security.”
Shaju Bhaskaran, chief information security officer (CISO) of Ahli Bank QSC, says that illustrating a level of security for the chief executive officer (CEO) is a matter of knowing which metrics to share and how to share them. “Every organization has its own appetite for risk and an acceptable level of security. A bank would have more security in a specific region; a different company in another region may have a different level of security. So, the level of security and the controls implemented depend on marketable factors.” Bhaskaran says, however, that you should not disclose all the metrics you track, regardless of the requirements of your region. “You cannot communicate all the alerts and all the metrics that you may have readily available” because so much information is impossible to explain in a way a CEO can understand.