Making the Grade

In KPMG’s “2015 Global Audit Committee Survey,” audit committee members ranked the quality of the information they received about cyber risks last among the 12 types of risks reported to them. Forty-one percent of respondents rated cyber risk communications as “needs improvement.” Basically, boards gave CISOs a grade of F or, at best, a D.

Yet failure is not an option for CISOs in this new role. They are increasingly being turned to for counsel and viewed as a risk leader in the enterprise. As an IBM-sponsored report, “IBM Empowers the CISO,” explained, “Security reporting in the past has often been via complex reports and presentations. This has meant that the boardroom has often had little real understanding of the real state of IT security. One thing that the boardroom is comfortable with is the use of BI to drill down through complex data to get a clear understanding of the profit, loss and risk associated with business activity.”

The problem is often too much data. The report stated that the average CISO has more than 50 tools used to manage security. While it may be tempting for a CISO to report on all the security data available, doing so would waste the board’s time and damage the board’s view of the CISO as a risk leader. It is up to the CISO to sift through the mountains of security data to provide the board with a clear picture of the organization’s cyber risks.

What Are Boards Looking For?

Of course, CISOs should be ready to address what boards want to know about cyber risks. In its report on cybersecurity oversight in the boardroom, KPMG listed the three most important questions for boards to ask as:

  1. What are the new cybersecurity threats and risks, and how do they affect our organization?
  2. Is our organization’s cybersecurity program ready to meet the challenges of today’s and tomorrow’s cyberthreat landscape?
  3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?

When it comes to engagement from the board, the advice included for board directors emphasized the need to:

  • Understand the risk management approach and linkage to enterprise risk;
  • Review and approve risk tolerance;
  • Understand the current maturity of control structure; and
  • Review the relevancy of the selected control framework.

How Can Tools Help?

CISOs and their teams should look for tools that “present data to the boardroom and specifically the CISO in an actionable state, rather than what is often perceived as noise,” according to the report. This means dashboards with near real-time representation of cyber risks and the ability to drill down by business sector to compare one sector with another or identify a source of high risk, and across time periods to see how the risks changed over time. The goal for such a tool should be, as the report put it, “helping the CISO engage with the board in terms of risk and budget.”

To illustrate how tools can assist the CISO in doing just that, consider two solutions that are briefly covered.


Brinqa describes itself as “a new, unified risk management system” that “combines a robust and flexible architecture and capabilities that have proven to be a practical solution to the information technology risk management dilemma.”

Brinqa is a quantitative solution that can summarize data from a multitude of security tools into a common risk language to evaluate the overall posture and identify critical gaps.


Accliviti “was developed to fill three large gaps in information security management: 1) to provide an accurate measurement of security across large enterprises; 2) to visually guide development of a strong information security framework; and 3) to communicate security to management as a justification for security investments.”

In contrast to Brinqa’s quantitative approach, Accliviti uses qualitative input from the organization’s own security professionals to gauge the level of maturity of each of the components of the cyber risk program.

So while Brinqa’s dashboard can crunch security data from a number of products and produce up-to-date reports from that data, Accliviti’s dashboard can elevate the discussion to focus on the level of maturity desired and achieved for each of the components of a security framework.

Here is a screenshot of Accliviti’s Improvement Summary dashboard that shows the initial score, revised score, desired goal maturity score and maturity delta from that goal for each of five categories tracked as part of an ISO security program.

These are only two of many more options available today that were not available just five years ago. As it isn’t feasible to present an exhaustive list of ways or tools that CISOs could use to report on cyber risks, security leaders should explore options for cyber risk dashboards to find similar tools or simply to glean ideas for how to spruce up their next presentation/report.

Reporting and Managing Cyber Risks

As Norman Marks, author of two books of relevance to CISOs, “World-Class Internal Auditing” and “World-Class Risk Management,” explained, an enterprise risk management program should support “effective, informed and intelligent decision-making.” The next time you are preparing to present to executives or board directors, ask yourself if your presentations and reports meet those criteria.

Better yet, ask your audience if your data met their needs. As John Pironti wrote in the November 2015 ISACA newsletter, “Present information that the organization really wants. Instead of assuming what business leaders and stakeholders want to know about information risk and security, ask them.”

Having the right tools will facilitate this process, but it may take time to find the best fit for your enterprise and board of directors.

View the infographic: Insights from the 2014 CISO Assessment

More from Risk Management

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…

Remote Employees: Update Your Routers (and More WFH IT Tips)

As a business owner or manager, you must ensure your employees have the right tools and resources to do their jobs well — especially with more people working from home. And IT infrastructure is one of the most important considerations regarding remote work. However, the truth is that most employees don’t think about their IT infrastructure until something goes wrong. In many cases, this can leave an employee stranded and unable to complete their tasks. In a worst-case scenario, this…