Rica explains that most CISOs are drowning in metrics and offers a path forward for boards and CISOs to achieve better business alignment

Security performance metrics are vital for CISOs and their organizations to evaluate and enhance their security posture and justify budget requests to their boards.

The struggle CISOs face isn’t a lack of metrics, but finding data with meaningful business context, according to BPM Advisory Partner Fred Rica. “They don’t generally support or align with business objectives; they don’t support how cyber is enabling the business,” comments Rica.

“Board members need to be asking (and CISOs need to be answering) three simple questions… These are: What are we doing? Is it enough? How do we know?”

“In order to answer these questions and have effective board level metrics that have meaning and context, we first need a cyber program – a program that is based on a standard, that reflects the risk tolerance of the organization, that identifies and focuses effort on the most import assets, that understands and accepts any residual risk, and is focused on defending against the most likely attackers and highest risk events.”

For more about measuring cybersecurity effectiveness, read the full article on CSO Online’s website.