mitigation efforts. Lastly, automation is essential to your efforts. Functions such as asset management and inventory and patch deployment should be automated as much as possible to improve efficiency. Your board will want to know how efficient your team is at preventing known issues, and automation will help remediate issues faster. Based on our research, automation associated with critical applications like Google Chrome, or the most widely deployed operating system, Microsoft Windows, ensures that these applications are patched twice as fast and twice as often as other applications that are lower down the priority list.

Providing information, proving value

Along with improving your team’s efficiency around patching and remediation using automation, you should also look at how you communicate with your business about your efforts. It’s not enough to be doing the right things in security, you also must demonstrate that your work is making a valuable difference over time.

According to Heidrick and Struggles’ Global Chief Information Security Officer Survey, 88 percent of CISOs present their results monthly to their full boards or to a cyber security board committee. This is a prime opportunity to communicate the results that you are delivering, as well as how your work supports the organization’s mission and objectives.

As part of this, you will have to develop appropriate metrics and dashboards that you can share during those conversations. They need to convey your team’s performance against any service level agreements you have in place, any risk measurement models or metrics you provide for your industry or area, and any further information that your board has requested. Most importantly, long-term trending data on your risk management performance compared to point-in-time data should be included that shows your current risk profile.

Getting the right mix of data that board members can drill into without going into too much detail is a fine line to tread. Too much detail and you can lose your audience or lead to unnecessary sidetracking. Too little, and the board can miss out on how much effort is taking place to keep the organization running efficiently and effectively. Most importantly, the metrics you bring to the fore should help your board understand what their decisions on risk mean in practice.

At one level, you should include measurements that show how your team has performed against SLAs. However, your SLAs normally exist for your benefit first, and while measurements like patching deployment in a given timeframe might help your team measure performance, they are not suitable for the board. Focus instead on specific critical issues mitigated in a given time frame. Just as you can use prioritization to improve your team’s performance, this can ensure that your board knows where your efforts have been concentrated. It can also be a way to evaluate your current SLAs and whether they are still optimal. For example, taking 30 days to carry out patching in response to critical issues is not good enough today compared to the time needed to create malware or attempt weaponization around vulnerabilities.

Tracking critical risk mitigation times can show how well you focus, and how your team proactively deals with potential threats. At the same time, you can use this trend data over time to show how your organization is facing more or less pain points, and where your budgets may need to be adjusted to keep up. Compiling real-world data on your risk mitigation performance can also be used as part of any conversations that you have with your cyber insurance providers in order to reduce your premium costs by demonstrating a well-managed and maintained system over time.

This should also enable you to track your progression around performance improvements relating to security and risk management. At the start, you may find that you can make massive risk management improvements by adopting more best practices or by automating tasks like patch management and remediation. However, as you improve, the gains will be more marginal. This is actually a good sign that you have a mature and effective program in place, so manage expectations with your board over what this looks like. Setting expectations around risk management performance early will ensure that everyone knows what the end goals look like for IT security and provide you with the breathing room you need to pursue effective action.

The long-term goal around risk

Cyber security is one of those areas where one can never say that things are completed. There will always be more risks, more vulnerabilities discovered, and new threat actors trying to take advantage of misconfigurations in the cloud. For the board, this is actually a natural mindset to embrace that they should be familiar with from managing risks in other areas, whether these risks are due to potential supply chain and logistics issues, geo-political shifts, or wider economic trends.

The challenge for CISOs is how to support long-term organizational objectives and manage risk more efficiently and effectively over time. With so much of our business reliant on technology today, the role of IT security will take on more of that risk management ethos to keep things running whatever threat actors may throw at us.