Professional Documents
Culture Documents
The recent increase in security incidents, their significant impacts and The primary objectives of all reporting is to provide visibility and track:
the rising regulatory focus make security risk a key topic for board
• Security risk (current and target)
reporting.
• Business security risk profile
The key questions that frequently come up
• Security controls, their current and target maturity
“Are we measuring the right things?”
• Security metrics
“Are others measuring the same things?”
Level 1 – This is a control area dashboard that underpins the Level 0 report. Option 1 (L2:O1) (Slides 11 & 12)
Most suitable for executive leadership teams (CEO and direct reports).
Option 2 (L2:O2) (Slide13)
Level 2
Level 2 – This is a deep dive by control area and includes four options. Most This report
Detailed control dashboard
Option 3 (L2:O3) (Slide 15)
suitable for security governance forums (service owners and control owners).
Typically this slide is targeted for the executives or the board of an The five dimensions of insider attack (i.e. data, external attack, people
organisation that has a risk management focus, but is yet to achieve their and physical) are categories of risk that map to controls across the cyber,
target state maturity. They may have one or more transformational personnel and physical security domains.
programs in place to achieve target state. Those organisations that are at
This dashboard largely remains unchanged except the incidents, issues
target state maturity can use Level 1 dashboard, as this is more detailed.
and the commentary. The second option brings together KRI reporting
When starting the journey, it’s easy to get lost in detail hence a top down
into the security report that usually gets reported to the Risk Committee
risk based approach is advisable.
in a risk report. The metrics presented here are the most common ones
that the Board is interested in, however can be expanded based on
maturity of the organisation.
Risk Rating*
Target Risk
Current
Quarterly Security Insights Group Risk* Risk Appetite Rating Risk Treatment Action L Low
Risk Rating
(2023)
M Medium
Chinese state-sponsored group Risk Averse
H 1. Cyber Transformation Program
Security Incident Not within M
APT10 (prosecuted by the US) 2. Protective Security Program H High
Appetite
was attributed to compromising
*as per 18/19 Group Risk Profile E Extreme
Managed Security Service
There area five (5) key underlying components that make up the overall risk of a “Security Incident” *as per the company’s Risk
providers and compromising US Management Framework
systems. We have now received Current Risk Target Risk Security Incidents
Security Risk Components
Rating Rating (2020) (In the prior quarter)
assurance from all our Tier 1
partners that our data and
Insider Attack - Inappropriate access to company systems H M 0 P1 Incidents 2 P2 Incidents
systems are not impacted.
External Attack - Malicious cyber attack leading to the Critical & High-Security Issues
H M
compromise or loss of control of critical systems. (In the prior quarter)
Risk Rating*
Target Risk
Current
Quarterly Security Insights Group Risk* Risk Appetite Rating Risk Treatment Action L Low
Risk Rating
(2023)
M Medium
Chinese state-sponsored group Risk Averse
H 1. Cyber Transformation Program
Security Incident Not within M
APT10 (prosecuted by the US) 2. Protective Security Program H High
Appetite
was attributed to compromising
*as per 18/19 Group Risk Profile E Extreme
Managed Security Service
There area five (5) key underlying components that make up the overall risk of a “Security Incident” *as per the company’s Risk
providers and compromising US Management Framework
Data - Loss of confidential data H M 3 % of staff reporting phishing emails > 20% 19%
Target audience The slide calls out four key impact scenarios, these may be ones that are
topical at the time till the control position is significantly uplifted. It is
Typically this slide is targeted for risk committees, executive leadership recommended that the organisation complete its own risk bowtie
teams (CEO and direct reports) of an organisation with focus on security analysis to arrive at the top risk scenarios or instead the ones called out
controls spanning cyber, physical and personnel. As an organisation in the slide can be used.
matures, this dashboard may be shared with the board.
The control areas each have a dedicated slide with underpinning metrics
Context in subsequent slides and in the Appendix.
The five dimensions of insider attack, data, external attack, people and Please note the metrics that have been called out are the commonly
physical are categories of risk that map to controls across the cyber, used metrics and can be tailored based on an organisation’s maturity
personnel and physical security domains. The five dimensions also have journey as well as risk appetite.
an external trend lens which the security team’s threat and intelligence
function is expected to track through external incidents, near misses or
external threats. This is to ensure the risk position not only has an
internal controls lens but an external threat trend lens.
How are Company ABC’s controls operating to reduce its security related risks? ►
“How can we be compromised via security threats ?” “What business impacts can be realised?” “How are we addressing cyber related risks?”
“The key threat vectors/means that drive our top security risks” “our current residual security risk exposure” “The Key Cyber Control Areas reduce likelihood or impact of cyber threats”
….This results in… ….Which are mitigated by…
Company RAG
Externa
Security Threat Vector ABC Risk Area Risk Scenarios Ref Key Security Control Areas & Commentary
l Trend
Trend Trend
Target audience The target state metrics are based on consultation with various
organisations and will need to be tuned based on where the
Typically these slides are targeted for service and control owners organisation and the security team is at in its maturity journey
within security, technology and business areas. There are a couple of and what the end goal is.
options here, first one which is more detailed and focussed on current,
For example it may be better to start with more relaxed metrics
target and trending of metrics. The second option is more metrics
and RAG statuses, otherwise the entire report will appear to be
focussed only, hence may be more suited for a RAG status.
red and may have significant panic at the executive and board
Context levels.
The first report offers more opportunity to call out risks, controls and If the organisation is very immature, a better way to manage this
actions planned or underway to mitigate the risks. Both the options are with the executives may be to start with overall current and
metric based and hence are quantitative in nature, although Option 1 target risk appetite and create target metrics that align to the
offers some opportunity to include qualitative metrics and a mix of risk appetite.
leading and lagging indicators.
Reporting on cyber security governance activities including, cyber Prevention of information theft and/or disclosure resulting in non-
▲
security program, audit, cyber risk and assurance compliance with regulatory requirements e.g. Privacy Act
Physical Security includes security for corporate and non-corporate sites Personnel security including vetting and background checks
▲
RAG and RAG and
Ref Key Metric Previous Current Target Ref Key Metric Previous Current Target
Trend Trend
PeS.3 Business is unable to enforce periodic background checks for existing staff Review approval processes for background exceptions
Workstations % of End User computers with full disk encryption G: >95%, A: 90% - 95%, R: <90%
DATA STORAGE, Mobile Devices % of corporate mobile devices with MDM solution that blocks data loss and has encryption G: >95%, A: 90% - 95%, R: <90%
ENCRYPTION,
INTEGRITY &
CONFIDENTIALITY Mobile Devices % of BYOD devices accessing corporate systems with no MAM or equivalent solution G: <2%, A: 2% - 5%, R: >5%
Workstations % of end user computing devices with DLP coverage G: >95%, A: 90% - 95%, R: <90%
% of DLP exceptions that remain unactioned or not risk accepted G: <5%, A: 5% - 10%, R: >10%
Workstations % desktops/ laptops with scanning coverage G: >95%, A: 90% - 95%, R: <90%
Infrastructure % network and infrastructure with scanning coverage G: >95%, A: 90% - 95%, R: <90%
# Externally-facing open critical vulnerabilities identified more than 30- days old without mitigation 0
% Non-OS Crown Jewels deployed critical security patches or with mitigation 100%
Standardised Executive Reporting, 2022 Slide 13
% Non-OS Other Systems deployed critical security patches or with mitigation 80%
Level 2: Option 3 - Detailed control dashboard
Typically these slides are targeted for steering committees, executives, The report covers capability effectiveness, capability coverage,
service and control owners within security, technology and business capability change and also provides an indicator of where a capability
areas. This option is based on a maturity model and is very uplift is required. These are all essential dimensions when considering
comprehensive and likely to be prepared once every six months. maturity of any capability, as is often the case that whilst end point
protection capability may have been deployed, but due to operational
gaps coverage can sit between 70 - 90% and there are no failsafe
mechanisms in place to monitor or ensure corrective actions are in place
to maintain it consistently at the target level. All of these create a false
sense of security in the effectiveness of the controls. Whether these
dimensions are captured in a maturity report or in the metrics, a reliable
measure of control effectiveness is necessary to ensure reliable
outcomes.
Typically these slides are targeted for steering committees, executives, The report is underpinned by more detailed metrics listed in the
service and control owners within security, technology and business appendix, which cover trend, current state, target state and provide an
areas. Similar to Option 3, this option is based on security effectiveness, opportunity for a commentary against each of the metrics.
security, security hygiene, readiness and culture lenses for an
organisation.
• Major incidents in the industry and what’s been in the news for the reporting period. Jan G A A G n
No/Little
Off Target (5-10%)
• Any key highlights on both internal and external threats Change
March G A A G
monitors vulnerability and patch management monitors the current state of security assessments,
monitors the effectiveness of implemented monitors cyber awareness within the workforce,
within technology environment, and workforce audit management actions and incident response
security controls security compliance, and supply chain cyber risk
access management capabilities.
Overview Overview Overview Overview
Trend Status Capability Trend Status Capability Trend Status Capability Trend Status Capability
n
Cybersecurity Visibility & Privileged Access n End Point Security
n
Cybersecurity Regulatory
Monitoring n Management Compliance
n Critical Systems Readiness
n Email Security Attack Surface Reduction n Deviation Management
n n Audit Management Actions
(Technology) Cybersecurity Awareness &
n
Cybersecurity Incident n Training
Overview Patch Management
n k
Cybersecurity Incident
Response Third Party Cyber Risk
n Technical Security n Management
Assessment (TSA)
Top performing metrics Top performing metrics
Top performing metrics Top performing metrics
99 % of privileged users on-boarded on
% of spam and malicious emails enterprise PAM solution # of Technology audit actions
81 2
97 % of Cybersecurity & Corporate
blocked
controls are compliant
0.5 Average time to disable privileged
0 # P1 cyber incident user account (in hour) # of Technology audit actions % of high risk contracts that did
0 0
overdue not perform security assessment
0 Critical vulnerabilities identified
0 # P2 cyber incident from ethical hack 8 # average time to detect potential
incident (minutes) 5.2 % of links clicked during
Bottom performing metrics Phishing Campaign
Bottom performing metrics Bottom performing metrics
17399 # of open Critical vulnerabilities
Bottom performing metrics
149 # MSS high priority alerts 55% % systems not assessed for
% of emails reported during Phishing
# of Critical vulnerabilities criticality (CIA) 44
38765 Campaign
remediated % critical systems that have Service
2 # confirmed cyber incident – 61 # critical and high risk deviation approved
Phishing (P3 incident) Continuity plan in place 15
728 # of Total number of end of life/ end
# confirmed cyber incident – of support devices that are not 65 % critical systems that have completed # critical and high risk deviation
2 Service Continuity testing 3
Malware (P3 incident) patched extensions approved
G Security Effectiveness monitors the effectiveness of implemented security controls Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Cybersecurity Incident
Number of high priority alerts 153 38 L
Overview
Typically these slides are targeted at senior business stakeholders (EGMs), with These reports have four possible areas that can be covered based on the
the intent, the business takes ownership of their respective security risks. maturity of the organisation and the security function –
3. Security risks and maturity of controls, these include findings, issues and
risks from audits and security risk assessments.
These reports need to have consistent data sources underpinning them or else
the veracity of the report will quickly become the focus rather than the focus
on improving the risk profile position.
42 423 160 4
A Report 50%
Submit 1% 34%
Clicked
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 66%
45
B Report 19%
1 23
Submit
Executive dashboard
- - - - - - -
Clicked
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20
81%
C 62 3 9 11 Report 19%
2 8 36%
- - Submit 1%
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Clicked 1%
64%
Sep-20 Oct-20 Nov-20
8 8 8 26 26 86 34
D Report 42%
24 28%
82 82
4
Submit
-
Clicked 5%
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 72%
3 High and Medium long outstanding issues tracking RED (#) <1
Awareness and training provides Company ABC personnel with the ▼ Authorised people can access our systems and our critical
▲
education to meet their cyber security related responsibilities systems are subject to additional controls
Percentage of administration
Percentage of users who completed
CA.1
mandatory cyber training on time 89% 89% 100% RSA.1 accounts in Privileged Access 71% 71% 100%
Management solution
Percentage of administration
CA.2 Phishing resiliency rate all employees 2.5 0.24 5 RSA.2 accounts with completed access 100% 100% 100%
reviews
CA.2 January 2021 phishing campaign had a high click rate (11%) and low reporting rate (3%) Divisional presentations on the importance of taking action
RSA.1 Administration account passwords are more vulnerable More frequent re-certification of accounts
Ensuring we know what out technology assets are so we Perimeter and Endpoint Security proactively
▲
can ensure they are not vulnerable (servers, laptops, software etc.) protects AusNet Services from a cyber attack
VM.3 Vulnerable to a cyber breach In-flight project to assess and plan in place for FY22 remediation
Disaster recovery includes backing up and restoring systems and Providing assurance to our business that our partners are managing
▲
integration between cyber security and emergency management cyber security risk
TPCR.3 Vendors are not compliant with our policies Review contract terms with finance/procurement
G Security Effectiveness monitors the effectiveness of implemented security controls Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Top 3 cybersecurity incidents by NIST Attack Vector – Intent: To further drive the Cyber Threat Intelligence capability and help determine focus areas for Cyber Operations
A Security Hygiene monitors vulnerability and patch management within technology environment, and workforce access management Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
# of Critical vulnerabilities
remediated 20,000 60,000 M
A Security Hygiene monitors vulnerability and patch management within technology environment, and workforce access management Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Shadow IT instances 2 2 L
A Security Readiness monitors the current state of security assessments, audit management actions and incident response capabilities. Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Endpoint Security Total number of endpoints connected
to IT network 196,398 196,390 L
% of IT servers meeting AV
compliance status 98% 98% L No significant changes since October.
% of OT servers meeting AV
compliance status 98% 98% L No significant changes since October.
A Security Readiness monitors the current state of security assessments, audit management actions and incident response capabilities. Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
# of repeated Technology
audit findings 0 0 L
Cybersecurity Incident
Average time to resolve P1 incident 0 0 L
Response
G Security Culture monitors cyber awareness of workforce, security compliance, and supply chain cyber risk Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Deviations L
Total deviations submitted MTD 60 50
Management (Compliance
to Cyber Standards) # of critical and high-risk security
deviations approved MTD 21 5 M
% of employees completed
cybersecurity training (Technology 34% 97% M
only)
Question Answer
Why do we have a limited set of KRI’s that The KRI list is based on what the board has the highest interest in, these days it is phishing, but for different boards it could
are phishing related in the KRI list, surely be different topics, and this list should be customised based on the requirements of the individual organisation.
there are other KRIs that are important ?
How can external threat and incident data The CISO Lens community already has a template for reporting external incidents, their root cause and controls that your
be captured ? organisation has in place to protect against a similar type of attack.
For a security business that is less mature, If your business has low maturity and has a transformation program in place to achieve desired maturity, it is
what is a suggested set of templates that can recommended that either of the Level 0 Options 1 or 2 be used. This can be underpinned by Level 1 Security dashboard,
be used ? starting with a smaller set of metrics, building out to a more detailed list as the function matures.
Are these metrics relevant for outsourced Yes the metrics and reporting are relevant for whether you have an insourced, hybrid or outsourced function, however
arrangements as well ? further work is recommended in baking in the metrics the KPI’s for a managed service provider so come of them become
mandatory (especially the ones linked to basic hygiene).
Why are project related metrics not The expectation is that every security team will have some form of transformation programs / projects and given these
included in the dashboard ? may be informed by central project management office functions, these have not been included. Besides the project
delivery metrics are usually standardised around scope, time and cost.
andy-chauhan-23861b benchmark@cisolens.com