by Joseph Socolof
Contributing Editor

‘Do you want to build a dashboard?’: Building a risk-based cybersecurity dashboard to improve executive decision-making

Most organizations have an executive dashboard for cybersecurity. Unfortunately, most are designed and built by the IT organization, and most focus on compliance and maturity rather than on what truly matters – risk mitigation. Even worse, most provide little ability to drive effective executive decision-making.

Let’s start with a very simple premise: cybersecurity is a business enabler. If risk is well understood within an organization, it will have been quantified in dollars. Cybersecurity, then, is an enabler of value – it allows an organization to clearly quantify the tradeoffs between the financial investments made and the value those investments provide to the business.

Good executive-level reporting is not technical. It should be risk-based, business-driven, and highlight five things:

  • Top risks – What matters? How much risk do we have and where do we need to focus our efforts?
  • Resilience – What is our ability to recover? When there is an event, how prepared are we?
  • Mitigations – What are we doing about it? Do we have a credible plan/roadmap to address gaps?
  • ROI – Are we investing well? Do we have an understanding of the economic tradeoffs we are making?
  • Performance – How well are we executing? Are we doing what we said we would do? Are we getting the results we expect?

An effective executive-level dashboard will drive more timely and more informed decisions. It will create transparency and an easily digestible view of an organization’s risk exposure, it’s critical assets, vulnerabilities, threats, mitigations, and performance. Decisions can then be made regarding which steps should be taken to protect assets based on the risk those assets represent to the business. If done well, organizations will have a customized plan to protect its most critical assets and most significant risk and will have transparency to the economic benefits of the decisions it is making.

Establishing a dashboard is often the right first step on the journey. In as little as six weeks, an organization can have a platform for more effective dialogue and, in turn, for data-driven decision-making. Often, the simple process of creating a risk-based dashboard will highlight gaps in governance, systems, and data. In the longer term, it will lead to an improved cyber posture.

Leave a Reply

Your email address will not be published. Required fields are marked *