Sign up to save your podcasts
Or
Share Presenting to the Board
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Presenting to the Board
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/)
What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner.
Thanks to this week’s podcast sponsor, Anomali.
Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com
On this episode of Defense in Depth, you’ll learn:
- A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful.
- Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics.
- Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity.
- Caplin recommends a four-slide presentation for the board:
- Where we were, problem areas identified per risk and maturity.
- What we spent and a bit of why we spent.
- Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs.
- Where we want to go next, and what the next ask is.
- If you're going to show a metric, it should answer a very specific question for the board.
- If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated.
- The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents.
- Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.
View all episodes
By David Spark, Steve Zalewski, Geoff Belknap
4.8
7373 ratings
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-presenting-to-the-board/)
What metrics, reports, or strategies should a security professional utilize to communicate the value to the board? Or is the mode of "presenting to the board" a damaged approach?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Barry Caplin (@bcaplin), executive leadership partner, Gartner.
Thanks to this week’s podcast sponsor, Anomali.
Anomali is a leader in intelligence-driven cybersecurity solutions. Anomali turns threat data into actionable intelligence that drives effective security and risk decision making. Customers using Anomali identify cyber threats from all layers of the web, automate blocking across their security infrastructures, and detect and remediate any threats present in their networks. www.anomali.com
On this episode of Defense in Depth, you’ll learn:
- A conversation with the board begins with a discussion of what risk is. But getting that information out of the board is far from a simple task. Vague answers are not helpful.
- Metrics are of value to the board, but avoid offering up tactical metrics. Instead, utilize strategic metrics.
- Once risk appetite is understood and agreed upon, then it's appropriate to begin a discussion of the security program's maturity.
- Caplin recommends a four-slide presentation for the board:
- Where we were, problem areas identified per risk and maturity.
- What we spent and a bit of why we spent.
- Where we are now (metrics come into play here). Best to show how much progress you've made in implementing security programs.
- Where we want to go next, and what the next ask is.
- If you're going to show a metric, it should answer a very specific question for the board.
- If you are going to show one metric, the most popular one is dwell time or the time between when an attack happens, when you discover it, and when it's remediated.
- The one metric of dwell time provides a lot of information as to the maturity of a CISO's security program as it coincides with its ability to respond to incidents.
- Some CISOs aim for a storytelling approach completely avoiding metrics because metrics have unfortunately led the board down the wrong path. It's either the wrong metrics, too detailed of a metric, or metrics not tied to business risk or to a maturity model.
More shows like Defense in Depth
View all
Security Now (Audio)
1,979 Listeners
Risky Business
365 Listeners
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
626 Listeners
Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec
366 Listeners
Hacked
183 Listeners
CyberWire Daily
1,009 Listeners
Smashing Security
312 Listeners
Click Here
413 Listeners
Darknet Diaries
7,879 Listeners
Cybersecurity Today
166 Listeners
CISO Series Podcast
189 Listeners
Hacking Humans
314 Listeners
Cyber Security Headlines
127 Listeners
Risky Bulletin
43 Listeners
Hacker And The Fed
167 Listeners