Last week, I spoke about board reporting, and how it helps to validate our programs and give the board confidence that we’re minding the store. Today, I’d like to widen the lens to IT reporting and offer advice on how to do it in a purposeful way.
Not everyone thinks that IT metrics should be shared with the board, but the fact of the matter is, information technology also manages risk and has risk for the organization. So in my mind, that makes board reporting essential.
A lot of times the goal is a little bit different from the security’s department’s goal. Cybersecurity execs want to let the board know what risks are out there, and be able to quantify them and offer some qualitative analysis. In many cases, that helps to provide some additional context around the organizations’ technology platforms that can inform the board of needed changes in direction.
So if the overarching goal is to ensure the board is aware of management’s focus on technology, and on protecting information and the business’s finances, it is absolutely essential to provide both IT and security metrics to the board.
Some of the IT metrics you’ll want to include are things around help desk volume, because that offers insight into how good your technology is. Repeat calls fall under help desk volume, as do things like password resets. All these things give context to the board about the technology platforms that the business uses to be successful.
Another thing that is really important to talk about from an IT standpoint is the aging of systems. How many systems are close to sunset? What’s the overall age of the platforms you have? Offer some context on the viability of those systems moving forward. This isn’t something that you would report on monthly, but rather, quarterly, or maybe even semi-annually.
There are also metrics that are industry-specific. For the financial industry, we report a lot of data around our banking core, the back-end system that processes transactions and posts updates to financial records. It’s the system that tells you what your balances are and enables you to transfer money and that sort of thing. It’s a very essential piece of software that every bank has to have.
It’s also a very highly regulated piece of software. If we have issues with the core, we can get fined, and those fines can be substantial if people can’t get access to their money.
Such technology – and there are analogous systems in other industries – is the lifeblood of the organization, and the board is responsible for its function. Being able to provide the board with confidence that things are running the way they should with that key piece of technology is very, very important.
The presentation to the board should be a conversation around what the report says, and not a regurgitation of the data in the report. This is the opportunity to illuminate for the board what the data mean and put their mind at ease that management is auctioning and handling that information.
We want to provide confidence, we want to provide clarity – and providing consistent and meaningful reporting is an essential tool to do that.
(Originally posted on Security Current)