The goal of all security programs is to consistently show how risk is getting lowered… or not!
But what should get reported to the leadership teams, to the executive management, and to the board? Risk Metrics on the Top 20 Security Controls!
The Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. Therefore they should be acted upon and measured.
This can be quite a daunting task to validate that the above controls are in place, even more of a challenge to validate that they are operating effectively with the right level of maturity. It can also be a lot to present this to the board all at once.
It is recommended that a phased approach come into place. Start with the first 6 controls. As presented, consider the trend of how the organization is doing per month, the average of how well the organization is doing across the number of months, and how close the number is to the level of tolerance that executive leadership has set.
Once the basic controls are in place, do the same for the foundational and organizational controls. The basics presented will be evidence enough to set priorities for the rest of the controls. Make sure to come prepared with plans, costs… to implement the other controls.