The NACD posted these questions to ask your security team:
1. Does the security team have a full, well-informed view of the organization’s security posture?
2. Is our organization resilient to attack?
3. Is the security team confident it can detect and respond quickly to security incidents?
4. How do you measure the effectiveness of our cybersecurity program and initiatives?
5. Do political or financial considerations impact your ability to protect the organization effectively?
Here is the CHICAGO Metrics™ response:
1. Yes, we know the overall CHICAGO Score™ and the average Risk and Effort ratings to drive decisions and prioritization.
2. We have advised the Board based on Risk and Effort and are at or working towards the risk posture tolerated.
3. We tactically measure multiple points to include incident response. These aggregate into the Character, Availability, Confidentiality, Integrity, and GOld scores. We actively manage to these.
4. We have 142 tactical metrics, for conversations with engineers, and aggregate them into 6 key business/risk indicators, for conversations with executives, complete with an overall CHICAGO Score™. It provides Risk and Effort indicators to provide prioritization direction. This ties into the CHICAGO Maturity Model which gives a definitive quantitative scoring model to determine your organization's maturity level.
5. We publish and manage to our Risk (Likelihood*Impact) and Effort (Time*People*Money) scores. This allows us to quantitatively provide the executive team the information they need to make an informed decision. These can also be tied to the 6 key CHICAGO Metrics™ and how they relate to each C-Suite executive. - Think: "Speak their language."