Last updated at Mon, 24 Jul 2023 19:30:54 GMT

This year, new rules from the Security and Exchange Commission (SEC) about board-level expertise, risk management, and public disclosures will take effect. The European Union is updating its regulations, as well. To meet these new requirements, organizations will need to explain to shareholders exactly how they assess cyber risk, describe security policies, and prove a significant level of board oversight.

In this climate, security leaders will be expected to advise the C-suite on SecOps activities. As a security professional, this can be a challenge. It’s also an opportunity to shape the structure and execution of business and go-to-market decisions.

Our latest ebook, Presenting Upward: How to Showcase SecOps Metrics That Matter offers practical and actionable advice on how to present security metrics in a language execs understand.

About those metrics

Cybersecurity metrics are essential to understand where you’re succeeding and where you may need to make changes.

Some examples include:

Number and disposition of security incidents: You have no control of this, but it gives execs insight into the risk they face. There’s an attack every 39 seconds somewhere. What’s life like in your security operation?

Mean time-to-detection (MTTD): This metric gives insight into both efficacy of tools and coverage of data (is the detection coming from a reported incident vs. a tool, etc.).

Mean time-to-respond (MTTR): This also gives insight into your ability to respond and whether your tools and processes meet your threats and use cases.

Cost-per-incident: This gives you insight into efficiency of process, tooling, and also potential staffing shortcomings (like the number of people or specific skills).

There are many other metrics you may need to track to understand your cybersecurity readiness. Good metrics will differ for every organization, depending on your risks, needs, compliance requirements, desired business outcomes, security maturity, and more.

Stories + metrics = success

Generally speaking, executives don’t usually want to get too deep in the weeds. So, your ability to present metrics in a way they understand is critical to achieve cybersecurity goals.

Execs typically want answers to questions like:

  • What are our risks, and how are we addressing them?
  • How secure are we compared to similar organizations?
  • Are we budgeting the right amount for cybersecurity?
  • Where do we have opportunities for efficiencies or vendor consolidation?
  • How are we addressing that thing in the news?

So, when presenting to execs it’s essential to put metrics into context. One way to do this is to craft a narrative that brings metrics to life. Stories often have more of an impact than facts and figures alone. This isn’t anecdotal; neuroscience has shown that when we are presented with a story, we understand the information more deeply, remember longer, and are more likely to factor what it taught us into future decisions.
For more tips on crafting an effective narrative, and much more, download Presenting Upward: How to Showcase SecOps Metrics That Matter now.