Sage Advice - Cybersecurity Blog

Cybersecurity Metrics Your Board of Directors Should Care About & Why

cybersecurity-metrics-for-the-BoDBusinesses today are going through an incredible digital transformation – moving to the cloud, embracing the Internet of Things (IoT), implementing automation, etc. – all at a lightning fast pace. This is opening them up to new and expanding cybersecurity threats that are difficult to manage.

That is in part why Gartner predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of security teams to manage digital risk. “Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation.”

Why Cybersecurity is a Top Priority for the Board

A report from Fortinet reveals that part of the problem revolves around the fact that security isn’t seen as a critical business problem by senior executives and Board members alike. But this is changing. They state that there are a number of reasons why cybersecurity is becoming a Board priority in 2018. Here are a few that are significant, according to the report.

  1. Security Breaches and Global Attacks. The vast majority of organizations have experienced some type of security breach or attack in the past two years. Forty-nine percent of survey respondents said their organizations increased their focus on security following a global attack such as WannaCry. Increased publicity and attention, along with implications on brand reputation and business operations makes these Board-level issues rather than IT operational undertakings.

  2. Attack Surface. The adoption of the cloud, emergence of IoT, and growth in big data expands both the circumference of the attack surface as well as its complexity. Seventy-four percent of survey respondents indicated cloud security is a growing priority for their organizations. Half say their organizations plan cloud security investments over the next 12 months. IoT is just as big a factor when it comes to the ever-expanding attack surface. The number of connected IoT devices is predicted to balloon to more than 8.4 billion by year end according to Gartner. Of these, 3.1 billion belong to businesses. As many IoT devices are difficult to protect, experts concurrently predict that more than 25% of all security attacks will target IoT devices by 2020.

  3. Regulatory Compliance. New government and industry regulations are also increasing the importance of security. Thirty-four percent of respondents indicated that these regulations heighten the awareness of security at the Board level. Passage of the General Data Protection Regulation in the EU, which goes into effect this year, is one such example.

Cybersecurity Reporting to the Board

In order for Board members to take the necessary responsibility for cybersecurity, they need to not only understand the fundamentals of cybersecurity, but also keep up-to-date on the status of the program of cybersecurity practices within the organization. This is done with regular reporting by information security and risk management leaders to the Board of Directors.

Here are some reports and metrics that will be helpful to inform your Board:

  • Regulatory Updates. Include industry specific updates for Board members that will engage them personally, as well as the organization.

  • Risk Management Program. Provide the number of assessments completed. Include significant findings and remediation efforts, as well as exposures and associated decision-making for remediation.

  • Vendor and Third-Party Service Provider Management. Present any contractual considerations for new vendors and any performance-related metrics for service level agreements. Let them know if there are any security concerns coming out of due diligence research, incidents or incident notifications to report, or a concentration of risk that needs be examined.

  • IT Budget Considerations. Share the effectiveness of implemented technologies and propose new solutions to address any deficiencies. Present your strategic plan and any staffing needs as well.

  • Security Monitoring and Testing Reports. This can include penetration testing and vulnerability assessment report summaries as well as IDS / IPS metrics.

  • Incident Management. Report out on any significant incidents and metrics on team response. Provide any testing reports or plan improvement suggestions.

  • Training Activities. Provide an overview of annual end-user awareness training, IT / IS specific training, as well as periodic training reinforcement program(s) that are required.

An engaged and active Board of Directors can greatly improve the cyber resilience of an organization. Making sure that they have all the knowledge they need to make informed decisions when it comes to cybersecurity will pay dividends in the end.

Learn more!


As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.


Topics: Cybersecurity Culture, Risk Management

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More