Troy Braban was only half-joking with this slide he shared at the RSA Conference in San Francisco: "83.45% of metric presentations at 96.82% of security conferences suck."
Fortunately for the the more than 500 attendees who packed his session to hear about security metrics boards actually care about, Braban, the CISO of Australia Post, wasn't talking about himself.
The problem most CISOs have in assembling effective metrics, he noted, is that they don't speak the same language as the business. To emphasize that point, he shared a conversation he had with a business manager responsible for an application that was having security issues. He told her he'd deploy a Web application firewall in front of it and then answered her questions about how a WAF works. Her takeaway from his explanation? "So, it's like a condom."
Because that admittedly crude description was easy for the business manager to understand, Braban stuck with the terminology and has since checked in with her via text with notes like, "Is your condom holding up?"
While board members generally use more genteel terminology, this anecdote illustrated the importance of giving business information it can grasp. So, when CISOs present their boards with metrics on things like patch policy compliance or mean time to incident recovery, Braban said they're missing an opportunity.
"Everyone thinks compliance is the first thing you have to talk about with the board," he said. "Totally wrong."
Instead, Braban said, CISOs need to give their boards metrics that hit the things they get excited about — namely customers, revenue, costs and the like.
"The people on boards are incredibly smart," he said. "If you give them the right information, they'll make the right decisions. But you have to give them the right information."
Sadly, most CISOs aren’t giving boards any kind of information. Braban cited Ponemon Institute research that just 34 percent of security executives said their organizations even consider metrics to be a strategic priority. What's worse, only 22 percent said they've actually engaged with their boards in the last year.
Framed another way, that means that 1 in 8 security execs haven't been engaging their boards with metrics even though they believe it's a strategic priority to do so.
The odds are that many CISOs have been discouraged by previous interactions with their boards that didn't go as they'd hoped. Those that were in the audience Wednesday left with a few potential tricks they could try.
Braban came up with an approach to metrics that's proving to be effective: he's highly engaged with his board, and he gets the resources he needs because he's so good at presenting his board with useful information. He developed a one-page security scorecard that condenses Australia Post's exhaustive security data into a simple statement of how the organization is doing in reaching its targets in areas like customer satisfaction, staff engagement, finance and brand protection.
He's also developed a "maturity metric model" that boils all of his metrics down into a pared-down scale illustrating how Australia Post's security effectiveness is progressing toward its target. This basic data is helpful in framing much larger discussions, such as whether to pursue an international expansion opportunity. Braban said that if the maturity rating is too low, the board could decide to invest in bringing it up first to increase the odds of a successful expansion.
"Metrics that drive decision making—that's the key," he said. "If you can find those metrics, that's where you'll be every single time."
What CISOs definitely should avoid is burdening their boards with nitty-gritty security details. Statistics on things like network availability and continuity are only interesting to board members when they can be tied to something they care about, like the customer experience.
"Metrics drive an incredibly powerful discussion," Braban said, "but only when they take in the big picture."