Gartner data show that these are the three most common questions related to board and executive communication. Every one of them is challenging. We have better answers now, than ever before.
- How much should I spend on cybersecurity?
- How does our cybersecurity program compare to others?
- What metrics should I report to my board?
I’m going to answer all three in separate blog posts, because when you put it all together in one long blog post… no one will read it. Plus, they each need their own narrative even though they overlap greatly.
My brilliant colleague and collaborator Emily Tan informed me that it’s really rude to tell people they’re asking the wrong question, so let me put it another way… you need some context to get the direct answer to your original question.
How much should I spend on cybersecurity?
I’m not going to lie. This question drives me nuts. The implication is that spend is a proxy for quality and protection. It’s not.
Name one business outcome or process where its success or efficacy is judged by the amount that was spent on it. “Did we spend enough money on that?” was asked by no CFO ever. Unless they’re asking about cybersecurity.
I will answer your question on how much you should spend on cybersecurity in this blog post Value is Missing in Executive Communication on Cybersecurity.
How does our cybersecurity program compare to others?
Our research shows that one of the top asks of every CIO and CISO that filters down from their board is to have peer comparative measures of cybersecurity. This question is right on target. And it’s a tough one.
The primary issue in peer comparisons is that everyone measures cybersecurity differently. Is patching a security budget item or an IT budget item? How do measure mean time to remediate? What’s the definition of a security incident?
I have answers for you and they can be found in this blog post: Benchmarking Cybersecurity Value Delivery.
What metrics should I report to my board?
I’ve reviewed hundreds of cybersecurity metrics programs over the last 15 years. I’ve stated repeatedly, and confidently, two things:
- No one can give you a list of metrics.
- You should not use operational metrics with executive decision makers.
I was wrong.
It turns out I can tell you exactly what your metrics should be… and ironically, they are operational metrics. Operational metrics work in cybersecurity when they are a reflection of value delivery and protection levels. And we are benchmarking 20 of them.
Read all about them in this blog post: What metrics should I report to my board? Which should make Emily happy that I’m finally providing a direct answer to a question.
Webinar and Benchmark Release
April 20, 2022, 11:00 AM ET: Webinar Make Cybersecurity a Priority Business Investment addresses this topic and more. This webinar is open to everyone and will be available for replay.
June 10, 2022, 9:00 AM ET: At the Friday morning keynote of our Security and Risk Management Summit in National Harbor, MD I will be releasing the benchmark definitions for our first generation cybersecurity value delivery benchmark and early data gathered from a small number of organizations.
We will also release the survey to all conference participants to fill out their own data and get the earliest version of our official benchmark.
Follow me on Twitter
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.