Having been a CISO for large multi-national corporations for over 20 years, I have created, run and evolved third-party risk management programs for some very complex organizations. That experience taught me a lot, including what worked and what did not. Now, as CEO of Cambridge Cyber Advisers, I sit on the other side of the board table working alongside the Board Chair to support the CISO in achieving the maximum possible risk reduction across the full security spectrum.
In my role as a board advisor, I often observe complex metrics and data being reported up to management from the security team. All too often, much of the intended message and desired outcomes are lost in translation as the security team has to massage the data for non-security audiences. To accomplish this, the security team creates their own set of meaningful metrics.
In this post I will define meaningful metrics, discuss the challenges I see with determining the right metrics to report to the board, and describe a mature approach to third-party risk metric reporting.
Security reporting should be clear and concise, and in no other area is this more critical than in third-party assurance. Third-party assurance is one of the most challenging risk areas to quantify and manage from a CISO’s perspective due to three factors:
Meaningful metrics, therefore, are needed to clearly articulate a consolidated set of key performance indicators (KPIs) and key risk indicators (KRIs) to executives or board members. These metrics reduce the need to analyze large, complex security dashboards by distilling the real security implications behind the numbers.
An example of a meaningful metric is Mean Time to Detect (MTTD). This metric shows the board how effective you are in detecting issues within the supply chain; how leading and lagging KPIs/KRIs are performing; and includes information from technical, process and cultural aspects. The extra details are always available if required, but it is important to present a consolidated and meaningful metric in the first place.
Webinar: Distilling Useful Metrics from Third-Party Risk Data
Join Bryan Littlefair, CEO of Cambridge Cyber Advisers, to learn how to implement meaningful metrics for more efficient third-party risk analysis.
Third-party risk management reporting challenges can be simplified into three categories: approach, resources and tooling. For example, if the security team lacks the right strategy for third-party assurance, then articulating how the function will manage risk across the supplier base is purely tactical. Instead, the team needs to balance the resources required to manage risks to an acceptable level against the maturity of the process. After all, an immature approach will need more resources (e.g., budget, people, time, etc.) to run. That’s why tooling is essential to embracing innovation and moving away from using spreadsheets to manage your supplier risk.
A mature approach to delivering third-party assurance and meaningful metrics looks like the following:
These are practical improvements that any security team can embrace to improve the maturity of their third-party assurance process and articulate meaningful risk metrics to the business.
For more, check out the on-demand version of my webinar, Distilling Useful Metrics From the Pile of Third-Party Risk Data. Or, contact Prevalent today to learn how they can help optimize your third-party risk management program.