The only 2 security metrics that matter to execs

Knowing how to talk security with the C-level or board of directors can be difficult. But according to one IT pro, the entire conversation can revolve around two simple metrics – and result in buy-in for your department. 

Troy Braban, CISO of Australia Post (roughly the Australian equivalent of the U.S. Postal Service) has found that the security conversation with boards of directors doesn’t have to be overly complicated at all. He presented his experience getting that buy-in at the RSA Conference 2015 in San Francisco.

“Boards are incredibly smart, and if you give them the right information, they’ll come up with right answer,” Braban said to a packed audience. “But you need to give them the right information.”

What not to talk about

According to Braban, one way companies often go wrong is by talking about security in terms of compliance. This is a closed conversation, Braban has found.

If you’re already compliant, the board may not see a need to improve. If you’re not, they won’t want to hear anything until the situation is fixed.

“Boards are interested in customers, not compliance,” Braban said. “Metrics need to drive decision-making. That’s where you’ll win every single time.”

After trying a variety of metrics to present, Braban has found two that work best for giving the full security picture.

1. Security testing coverage

One thing that has worked especially well is talking with the board about what his team did and did not know about security.

When presenting on security, Braban explained everything that his organization was able to test and measure from a security standpoint. But he also told them which areas were currently not able to be tested.

“I’d say we’ve gone through everything and we know A, B and C, but we don’t know D, E and F. I can’t give you assurance of these things,” Braban explained.

More than anything else, not knowing these gaps led to the board supporting the idea of exploring the unknown areas and providing the resources to do so.

2. Information security budget as a percentage of IT’s budget

In addition to knowing your security coverage, it’s also important to show your board what you’re doing with the budget you have. For Braban, that relied on some modeling that compared his organization’s security budget breakdown with that of peers.

He also set up and presented scales that showed where security stood for certain key focus areas and what additional investment would be needed to get to a target level. This leads to a conversation about priorities and improvements.

“You can have a discussion about where the priority should be,” Braban said. This can adjust based on available resources or current priorities too, so it’s best to meet regularly and update where you currently lie on the scale. You may find you’ll eventually win funding for crucial improvements based on this persistent approach to addressing security.

“You might not be able to hit the metric you want to do today, but maybe you can in one or two years,” Braban said.


Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy