This post summarizes some Cybersecurity metrics for Board or Risk Committee Reporting.Â
Why Metric Reporting?
- Reporting leads to success
- Providing overall status of cyber program and its impact on overall enterprise
- Effective allocating of funding resources
- Supporting regulatory reporting requirements
- Quantify cyber resilience leading to reduced customer and shareholder risks
- Provides the context for budget increases
- Need to address current and future threats
- Conveying information to board through metricsÂ
- Frame within maturity, risk, cost
Requirments:
- Must be actionable
- Must have clarity
- Is the cyber program working
- Is the cyber program adequately funded
- Is the cyber program reducing customer and shareholder risk
Common Goals
- Literature review/survey - NIST, FFIEC, CIS, SOC, ISO
- reportable Metrics - As per literature review
- Appropriateness - Effective Decision Making
Cyber Metrics Development Process
- Assess
- Discuss
- Research
- Broader Discussion
- Effective Cyber Metrics
Metric Examples
For Following Common Areas
1. Cybersecurity training
2. Spam / Phishing Email Management
3. Patches Management
4. Antivirus / Antispyware coverage
5. Incidents Management
6. Audits Management
References
- https://www.youtube.com/watch?v=xwMY5LGsutY
- How to Plan for and Implement a Cybersecurity Strategy -Â https://www.youtube.com/watch?v=u-EQHbqWY60
- Cybersecurity reference architecture - https://learn.microsoft.com/en-us/security/ciso-workshop/ciso-workshop-module-1?view=o365-worldwide
- The Chief Information Security Officer (CISO) Workshop Training - https://learn.microsoft.com/en-us/security/ciso-workshop/the-ciso-workshop
No comments:
Post a Comment