1. What makes a good metric
1.1. vary based on organizational need and risk tolerance
1.1.1. aligns with and informs organizational strategy
1.1.2. speaks directly to cost, maturity and risk
1.2. Why are they important for board to consider
1.2.1. to review company controls and peer performance
1.2.2. ID and respond to cyber incidents
1.2.3. verify state of compliance
1.2.4. ensure an understanding of the InfoSec roadmap and strategy
2. Cyber Metrics Survey Analysis
2.1. colleagues - operational
2.2. academics - within specific teaching areas varied by courses taught and interest
2.3. board members - cost, maturity, risk
3. Frame your talking points
3.1. No esoteric data - meaning to the board
3.2. Direct and easy to understand data enable more accurate and rapid decision making
4. Metrics must be SMART
4.1. Specific - attacks per day (no)
4.2. Measurable: indicator for success
4.3. actionable: easy to understand and incorporated into program improvements
4.4. Relevant: must tie back to the program or risk priorities in a meaningful way
4.5. Timely: per day, per month etc
5. Tips
5.1. Before you can present a topic to senior management, you must agree to the scope of the presentation
5.1.1. 3party risk
5.1.2. risk for control selection
5.1.3. threat actors
5.1.4. threat activities
5.1.5. consequences
5.2. Core elements of risk
5.2.1. Threats
5.2.1.1. Likelihood
5.2.2. Controls (Safeguards)
5.2.3. Additional consideration
5.2.3.1. Vulnerabilities
5.2.3.2. Asset Value / Criticality
6. Evaluation and Rotation of Cyber Metrics
6.1. Frequency of reporting
6.1.1. monthly
6.1.2. quarterly
6.1.3. semi annual
6.1.4. Annual
6.2. Are the metrics used generating discussion?
6.3. Value vs Cost of obtaining and measuring new information
6.4. Are the follow-up questions posed demonstrating an uinderstanding of the reported metrics?
6.5. Is the CISO and cyber program getting the necessary output from the board
6.6. Are the metrics proven "actionable"
6.7. Changes to compliance and regulatory bodies
6.8. need to deliver clear, impactful message in a brief period
6.8.1. Is the program working
6.8.1.1. How effective is it controlling and mitigating threats today
6.8.1.2. Is it properly staffed
6.8.1.3. how effective will it be tomorrow
6.8.1.4. Maturity
6.8.2. Cost: is it adequately funded
6.8.2.1. will money fix this problem
6.8.2.2. is it within our control
6.8.3. Risk: is the program reducing customer and shareholder risk
7. Cyber Metrics Development Process (These progress, avoid stagnating in this area)
7.1. Assess: Your starting point
7.2. Discuss: Validating direction & strategy
7.3. Research: Review applicable literature
7.4. Broader Discussion: Engage a broader audience, discuss rationale and changes
7.5. Effective Cyber Metrics: Continue to measure and evolve
8. Develop Process
8.1. Assess metrics and message
8.1.1. Board results are clearly aligned with metric message
8.1.2. Decision-making is aligned with expectations
8.2. Literature Review
8.2.1. What resources are available review
8.2.1.1. No, with few exception quality cyber metrics span most industries
8.3. Ask questions
8.3.1. peers
8.3.2. leadership
8.3.3. board member
9. Takeaways and Applications
9.1. 2weeks
9.1.1. assess the effectiveness of current metrics
9.1.1.1. making trends and determine if aligned with metrics
9.1.1.2. develop a framework to present metrics
9.1.1.2.1. Cost, Maturity, Risk
9.1.1.2.2. Review governance documents for applications (NIST, ISO, CSF, CIS)
9.2. 4 weeks: Review literature cybersecurity metric sources, (MTRE ATT@CK framework)
9.2.1. Select metrics and describe imprtance and why
9.2.2. Reach out to Risk Officer and CIO to validate and discuss
9.3. 2 months: Refine and validate cyber metrics
9.3.1. Discuss with CRO and CIO metrics focus on message and results
9.3.2. discuss with exec leadership (changes and rational
9.4. 3months: Draft of new cyber metrics
9.4.1. CRO and CIO
9.4.2. Executive Leadership