Best practice No. 2: Let the data do the talking
Data is the cornerstone of effective storytelling. CISOs must harness the power of metrics to create an impactful narrative that shows the value of their security investments in action. By selecting the right metrics and presenting them in a clear and concise manner, CISOs can transform complex security information into actionable insights for the board.
“At Kyndryl, we track maturity, which is what we do within our security program, and effectiveness, which is how well we do it,” says Cory Musselman, CISO at Kyndryl, the world's largest provider of IT infrastructure services. “We’ve built a ‘cyber balance scorecard’ to measure these KPIs every quarter so we can show senior leadership and the board that we’re executing against our plan.”
Key metrics such as a reduction in security incidents, improved incident response times, and increased user productivity can be powerful indicators of security effectiveness. However, it's essential to go beyond raw numbers and provide context. To ensure the board fully grasps the significance of the data, it can help to provide easy-to-understand visuals, such as charts, graphs, and other visual aids. By telling a story with data, CISOs can build a strong case for continued security investments.
“I use spider charts to show our board what our inherent risk would be if we had no security controls. Then I show them where we are now with our current set of controls and where we want to be,” Domboski explains. “This shows them that our Identity platforms are exactly what we need to implement Zero Trust and keep our business secure.”