Tom is in a meeting with his chief risk officer, Nathan, and his chief information security officer (CISO), Maria. Maria is presenting on the progress of the information security program. Tom asks, “How do I know we are doing the right things? That our program is really where it needs to be? That we can really be ahead of this risk?” Nathan hands Tom a graphic one-page report. “Tom, here you can see what we are measuring to indicate risk levels associated with information security risk. These indicators, are already showing improvement given the current state of the program. As you know, ‘what gets measured, gets done’; so we are also tracking indicators associated with the program progress. These two sets of data provide a powerful story, which we can use to discuss with the board.”

Not many organizations have been known to fail due to a cybersecurity event. This is likely due to strong risk programs to detect and react to threats, and to luck. While no failures have been attributed to cybersecurity events, there are many operational losses that can be attributed to these events. With the velocity and sophistication of these threats constantly accelerating, it is imperative that organizations keep pace with how the risk is considered and the evolution of metrics to indicate potential changes in the risk levels.

The presentation and usage of key risk indicators ...