Standardised Executive Reporting

Standardised Executive Reporting
An industry report from the CISO Lens community

Author: Andy Chauhan, alumnus
Published: June 2022
Preamble - from CISO Lens
This report has its roots in innumerable conversations within the CISO We have published this report with the following intentions:
Lens community, over many years. In 2021, one of our former members
1. For CISOs in newly created roles, to offer them a starting point that
took up the challenge and produced this report.
would come from the same principles as their peers.
The problem we set out to address: Board members see cyber security
2. For executives in organisations that do not have a CISO, to offer a
and risk management presented to them in many ways.
starting point and help them see how dedicated internal security
The more boards they sit on, the more ways they see cyber security executives view the process of reporting on cyber security.
management presented.
3. For board members, to offer them an insight into cyber security
We wanted to create a common understanding across multiple reporting issues that are common across many organisations.
organisations. That meant creating a series of templates to help
Please note, this report is offered as a starting point, and you are free to
structure cyber security reporting.
use as much, or as little, as you like. Most importantly, this report should
be viewed through the nuances of your organisation and the
environment it operates in.
Our thanks to Andy Chauhan for creating this series of templates.
Standardised Executive Reporting, 2022 Slide 2

Context and objectives
Context Objectives
The recent increase in security incidents, their significant impacts and The primary objectives of all reporting is to provide visibility and track:
the rising regulatory focus make security risk a key topic for board
• Security risk (current and target)
reporting.
• Business security risk profile
The key questions that frequently come up
• Security controls, their current and target maturity
“Are we measuring the right things?”
• Security metrics
“Are others measuring the same things?”
This document provides some templates for standardised executive

reporting in consultation with the CISO / CSO community.

Structural overview of this report
This report is a series of templates and commentary. It is structured into four
sections, plus appendices: Option 1 (L0:O1) (Slide 6)
Level 0
Executive security risk dashboard
Level 0 – A risk report that shows risk appetite, Key Risk Indicators and current Option 2 (L0:O2) (Slide 7)
and target state of risk. Two options have been included here. Most suitable for
Level 1
Option 1 (L1:O1) (Slide 9)
board risk committees or board. Security Risk dashboard
Level 1 – This is a control area dashboard that underpins the Level 0 report. Option 1 (L2:O1) (Slides 11 & 12)
Most suitable for executive leadership teams (CEO and direct reports).
Option 2 (L2:O2) (Slide13)
Level 2
Level 2 – This is a deep dive by control area and includes four options. Most This report
Detailed control dashboard
Option 3 (L2:O3) (Slide 15)
suitable for security governance forums (service owners and control owners).
Option 4 (L2:O4) (Slides 17 & 18)

BU Risk Report – Two options have been included here. Most suitable for
business unit executives (EGMs).
Option 1 (BURR:O1) (Slide 20)
BU Risk Report
Appendix – A series of deep dive templates, and detailed dashboards. We also
Option 2 (BURR:O2) (Slide 21)
include a Frequently Asked Question section. Appendix (Slides 22-33)

Level 0: Option 1 & 2 – Executive security risk dashboard
Target audience Context
Typically this slide is targeted for the executives or the board of an The five dimensions of insider attack (i.e. data, external attack, people
organisation that has a risk management focus, but is yet to achieve their and physical) are categories of risk that map to controls across the cyber,
target state maturity. They may have one or more transformational personnel and physical security domains.
programs in place to achieve target state. Those organisations that are at
This dashboard largely remains unchanged except the incidents, issues
target state maturity can use Level 1 dashboard, as this is more detailed.
and the commentary. The second option brings together KRI reporting
When starting the journey, it’s easy to get lost in detail hence a top down
into the security report that usually gets reported to the Risk Committee
risk based approach is advisable.
in a risk report. The metrics presented here are the most common ones
that the Board is interested in, however can be expanded based on
maturity of the organisation.

Level 0: Option 1 – Executive security risk dashboard
Executive Security Risk Dashboard December 2021
Risk Rating*
Target Risk
Current
Quarterly Security Insights Group Risk* Risk Appetite Rating Risk Treatment Action L Low
Risk Rating
(2023)
M Medium
Chinese state-sponsored group Risk Averse
H 1. Cyber Transformation Program
Security Incident Not within M
APT10 (prosecuted by the US) 2. Protective Security Program H High
Appetite
was attributed to compromising
*as per 18/19 Group Risk Profile E Extreme
Managed Security Service
There area five (5) key underlying components that make up the overall risk of a “Security Incident” *as per the company’s Risk
providers and compromising US Management Framework
systems. We have now received Current Risk Target Risk Security Incidents
Security Risk Components
Rating Rating (2020) (In the prior quarter)
assurance from all our Tier 1
partners that our data and
Insider Attack - Inappropriate access to company systems H M 0 P1 Incidents 2 P2 Incidents
systems are not impacted.
Data - Loss of confidential data H M
External Attack - Malicious cyber attack leading to the Critical & High-Security Issues
H M
compromise or loss of control of critical systems. (In the prior quarter)
People - Employees maliciously or accidently expose company to a

security incident
M L 0 = 0 + 0 + 1
Total Opened Closed Raised

Physical - Unauthorised physical access to company site (incl. loss, H L
damage or theft of assets)

Level 0: Option 2 – Executive security risk dashboard
Executive Security Risk Dashboard December 2021
Risk Rating*
Target Risk
Current
Quarterly Security Insights Group Risk* Risk Appetite Rating Risk Treatment Action L Low
Risk Rating
(2023)
M Medium
Chinese state-sponsored group Risk Averse
H 1. Cyber Transformation Program
Security Incident Not within M
APT10 (prosecuted by the US) 2. Protective Security Program H High
Appetite
was attributed to compromising
*as per 18/19 Group Risk Profile E Extreme
Managed Security Service
There area five (5) key underlying components that make up the overall risk of a “Security Incident” *as per the company’s Risk
providers and compromising US Management Framework
systems. We have now received Current Risk Target Risk

Security Risk Components Key Risk Indicators Target Status
Rating Rating (2020)
assurance from all our Tier 1
% of staff who have completed the
partners that our data and 1
protective security training
98% 98%
Insider Attack - Inappropriate access to company systems H M
systems are not impacted. 2
% of staff clicking on links in phishing
<9% 5%
emails
Data - Loss of confidential data H M 3 % of staff reporting phishing emails > 20% 19%
4 # of material security incidents 0 0%

External Attack - Malicious cyber attack leading to the
H M
compromise or loss of control of critical systems.
People - Employees maliciously or accidently expose company to a

M L
security incident
Physical - Unauthorised physical access to company site (incl. loss, H L

damage or theft of assets)

Level 1: Option 1 -Security risk dashboard
Target audience The slide calls out four key impact scenarios, these may be ones that are
topical at the time till the control position is significantly uplifted. It is
Typically this slide is targeted for risk committees, executive leadership recommended that the organisation complete its own risk bowtie
teams (CEO and direct reports) of an organisation with focus on security analysis to arrive at the top risk scenarios or instead the ones called out
controls spanning cyber, physical and personnel. As an organisation in the slide can be used.
matures, this dashboard may be shared with the board.
The control areas each have a dedicated slide with underpinning metrics
Context in subsequent slides and in the Appendix.
The five dimensions of insider attack, data, external attack, people and Please note the metrics that have been called out are the commonly
physical are categories of risk that map to controls across the cyber, used metrics and can be tailored based on an organisation’s maturity
personnel and physical security domains. The five dimensions also have journey as well as risk appetite.
an external trend lens which the security team’s threat and intelligence
function is expected to track through external incidents, near misses or
external threats. This is to ensure the risk position not only has an
internal controls lens but an external threat trend lens.

Steady On Track
Level 1: Option 1 - Security Status Dashboard – Dec 2021 Improving

Declining
< 10% Off Track
> 10% Off Track
How are Company ABC’s controls operating to reduce its security related risks? ►
“How can we be compromised via security threats ?” “What business impacts can be realised?” “How are we addressing cyber related risks?”
“The key threat vectors/means that drive our top security risks” “our current residual security risk exposure” “The Key Cyber Control Areas reduce likelihood or impact of cyber threats”
….This results in… ….Which are mitigated by…
Company RAG
Externa
Security Threat Vector ABC Risk Area Risk Scenarios Ref Key Security Control Areas & Commentary
l Trend
Trend Trend
ABC is disrupted or compromised from a 1 Security Risk and Governance Threats

Insider security attack resulting in: • Third Parties increased with the
Operational
• Harm to staff, the environment or society
Attack Disruption
• Damage to physical assets 2 Information Security and Privacy SolarWinds breach
• Disruption to Business operations
• Email attacks have increased in
3 Our People’s Cyber Awareness volume at Company ABC resulting in
Unauthorised access or theft of valuable assets
Data more simulations being conducted.
Asset(physica (sensitive information, physical sites),
Theft l and non resulting in: 4 People have the right systems access
physical) • Fraud
Protection • Financial loss Controls
5 Technology Asset Management
• Privacy breach • Recent phishing simulation delivered
External low results on emails reported.
6 Perimeter and Endpoint Security
Attack Third parties relied on by ABC are compromised Communication blitz in Feb.
resulting in:
Partners and 7 Vulnerability Management • Vulnerability Management has a
• Third Party exploited by adversary to
Supply Chain
conduct an attack project in-flight to assess this area.
• Disruption to operations
People 8 Monitoring and Incident Response Milestones will be established for the
next reporting period.
ABC personnel unintentionally interact with 9 Physical Security • Outstanding high risks finding with
a malicious email resulting in:
Our People
Physical • Credential Theft vendors require escalation.
• Disruption to operations 10 Third Party Cyber Risk

All metrics in this pack are reported on current and previous quarters
Level 2: Option 1 – Detailed control dashboard
Target audience The target state metrics are based on consultation with various
organisations and will need to be tuned based on where the
Typically these slides are targeted for service and control owners organisation and the security team is at in its maturity journey
within security, technology and business areas. There are a couple of and what the end goal is.
options here, first one which is more detailed and focussed on current,
For example it may be better to start with more relaxed metrics
target and trending of metrics. The second option is more metrics
and RAG statuses, otherwise the entire report will appear to be
focussed only, hence may be more suited for a RAG status.
red and may have significant panic at the executive and board
Context levels.
The first report offers more opportunity to call out risks, controls and If the organisation is very immature, a better way to manage this
actions planned or underway to mitigate the risks. Both the options are with the executives may be to start with overall current and
metric based and hence are quantitative in nature, although Option 1 target risk appetite and create target metrics that align to the
offers some opportunity to include qualitative metrics and a mix of risk appetite.
leading and lagging indicators.

Level 2: Option 1 - Detailed control dashboard – Cyber Risk and Governance |
Information Security and Privacy
Reporting on cyber security governance activities including, cyber Prevention of information theft and/or disclosure resulting in non-
▲
security program, audit, cyber risk and assurance compliance with regulatory requirements e.g. Privacy Act
RAG and RAG and

Ref Key Metric Previous Current Target Ref Key Metric Previous Current Target
Trend Trend
Percentage of cyber security Number of mandatory data breach

CRG.1 projects delivery on budget 100% 100% 90% ISP.1 notifications 0 0 0
Percentage of cyber security

CRG.2 program milestones completed as 100% 100% 90%
planned
Number of security exemptions

CRG.3 overdue for review in accordance 0 0 0
with the Policy requirements
Number of open cyber risks rated as

CRG.4 critical or high 18 TBC 10
CRG.5 Number of overdue audit findings 1 0 1
Ref Key Risks/Issues Mitigation Strategies/Action Plans Owner(s)
CRG.4 Risk data is being reviewed and framework refreshed

Level 2: Option 1 - Detailed control dashboard – Physical Security | Personnel Security
Physical Security includes security for corporate and non-corporate sites Personnel security including vetting and background checks
▲
RAG and RAG and
Trend Trend
Percentage of new staff with

Percentage of physical sites with
PS.1
monitoring controls 98% 98% >95% PeS.1 AusCheck or equivalent background 95% 95% 100%
checks performed
Percentage (%) of sites with no Percentage of existing eligible staff

PS.2 reported theft or security breach 90% 91% >90% PeS.2 that have a periodic background 75% 77% >90%
incident check performed
Number of staff investigations and
PeS.3 exceptions related to background 2 1 0
checks
PeS.3 Business is unable to enforce periodic background checks for existing staff Review approval processes for background exceptions

Level 2: Option 2 - Detailed control dashboard – Information Security and Privacy | Vulnerability Management
Key Control Asset Type Metric Target Status / Trend
Workstations % Employees exempt from USB restrictions G: <2%, A: 2% - 5%, R: >5%
Workstations % of End User computers with full disk encryption G: >95%, A: 90% - 95%, R: <90%
% of customer data encrypted as per standard G: >85%, A: 65% - 85%, R: <60%
DATA STORAGE, Mobile Devices % of corporate mobile devices with MDM solution that blocks data loss and has encryption G: >95%, A: 90% - 95%, R: <90%
ENCRYPTION,
INTEGRITY &
CONFIDENTIALITY Mobile Devices % of BYOD devices accessing corporate systems with no MAM or equivalent solution G: <2%, A: 2% - 5%, R: >5%
Workstations % of end user computing devices with DLP coverage G: >95%, A: 90% - 95%, R: <90%
# of mandatory data breach exceptions 0
% of DLP exceptions that remain unactioned or not risk accepted G: <5%, A: 5% - 10%, R: >10%
Workstations % desktops/ laptops with scanning coverage G: >95%, A: 90% - 95%, R: <90%
Servers % servers with scanning coverage G: >95%, A: 90% - 95%, R: <90%
Infrastructure % network and infrastructure with scanning coverage G: >95%, A: 90% - 95%, R: <90%
# Externally-facing open critical vulnerabilities identified more than 30- days old without mitigation 0
% OS resources patched/compliant % Internet facing 100%

VULNERABILITY
MANAGEMENT
Workstations % OS resources patched/compliant Desktop/Laptops G: >95%, A: 90% - 95%, R: <90%
Servers OS resources patched/compliant % Servers G: >95%, A: 90% - 95%, R: <90%
Infrastructure % OS resources patched/compliant % Network Devices G: >95%, A: 90% - 95%, R: <90%
% Non-OS Crown Jewels deployed critical security patches or with mitigation 100%
% Non-OS Other Systems deployed critical security patches or with mitigation 80%
Level 2: Option 3 - Detailed control dashboard
Typically these slides are targeted for steering committees, executives, The report covers capability effectiveness, capability coverage,
service and control owners within security, technology and business capability change and also provides an indicator of where a capability
areas. This option is based on a maturity model and is very uplift is required. These are all essential dimensions when considering
comprehensive and likely to be prepared once every six months. maturity of any capability, as is often the case that whilst end point
protection capability may have been deployed, but due to operational
gaps coverage can sit between 70 - 90% and there are no failsafe
mechanisms in place to monitor or ensure corrective actions are in place
to maintain it consistently at the target level. All of these create a false
sense of security in the effectiveness of the controls. Whether these
dimensions are captured in a maturity report or in the metrics, a reliable
measure of control effectiveness is necessary to ensure reliable
outcomes.

Level 2: Option 3 – Detailed control dashboard CCM
This page left intentionally blank

Level 1 & 2: Option 4 - Detailed control dashboard
Typically these slides are targeted for steering committees, executives, The report is underpinned by more detailed metrics listed in the
service and control owners within security, technology and business appendix, which cover trend, current state, target state and provide an
areas. Similar to Option 3, this option is based on security effectiveness, opportunity for a commentary against each of the metrics.
security, security hygiene, readiness and culture lenses for an
organisation.

Level 1: Option 4 – Security risk dashboard
Threat Conditions: Elevated Reporting Period: 1st to 30th “Month” “Year”
Rolling 3-Month Trend

Commentary Reporti Security Security Security Security Trend Desc. Status Desc.
• Top x threat actors related activity observed in company environment. ng Effectiveness Hygiene Readiness Culture
• Any key changes in threat landscape –internal and external. Period k Improvement Meeting target / SLA
• Major incidents in the industry and what’s been in the news for the reporting period. Jan G A A G n
No/Little
Off Target (5-10%)
• Any key highlights on both internal and external threats Change
Feb G A A G l Deteriorating Off Target (10%+)
March G A A G
G Security Effectiveness A Security Hygiene A Security Readiness G Security Culture
monitors vulnerability and patch management monitors the current state of security assessments,
monitors the effectiveness of implemented monitors cyber awareness within the workforce,
within technology environment, and workforce audit management actions and incident response
security controls security compliance, and supply chain cyber risk
access management capabilities.
Overview Overview Overview Overview
Trend Status Capability Trend Status Capability Trend Status Capability Trend Status Capability
n
Cybersecurity Visibility & Privileged Access n End Point Security
n
Cybersecurity Regulatory
Monitoring n Management Compliance
n Critical Systems Readiness
n Email Security Attack Surface Reduction n Deviation Management
n n Audit Management Actions
(Technology) Cybersecurity Awareness &
n
Cybersecurity Incident n Training
Overview Patch Management
n k
Cybersecurity Incident
Response Third Party Cyber Risk
n Technical Security n Management
Assessment (TSA)
Top performing metrics Top performing metrics
Top performing metrics Top performing metrics
99 % of privileged users on-boarded on
% of spam and malicious emails enterprise PAM solution # of Technology audit actions
81 2
97 % of Cybersecurity & Corporate
blocked
controls are compliant
0.5 Average time to disable privileged
0 # P1 cyber incident user account (in hour) # of Technology audit actions % of high risk contracts that did
0 0
overdue not perform security assessment
0 Critical vulnerabilities identified
0 # P2 cyber incident from ethical hack 8 # average time to detect potential
incident (minutes) 5.2 % of links clicked during
Bottom performing metrics Phishing Campaign
Bottom performing metrics Bottom performing metrics
17399 # of open Critical vulnerabilities
Bottom performing metrics
149 # MSS high priority alerts 55% % systems not assessed for
% of emails reported during Phishing
# of Critical vulnerabilities criticality (CIA) 44
38765 Campaign
remediated % critical systems that have Service
2 # confirmed cyber incident – 61 # critical and high risk deviation approved
Phishing (P3 incident) Continuity plan in place 15
728 # of Total number of end of life/ end
# confirmed cyber incident – of support devices that are not 65 % critical systems that have completed # critical and high risk deviation
2 Service Continuity testing 3
Malware (P3 incident) patched extensions approved

L Low No Change
Level 2: Option 4 - Detailed control dashboard M Medium Improving

Deteriorating
H High
G Security Effectiveness monitors the effectiveness of implemented security controls Reporting Period: 1st to 30th “month” “year”
Current Previous
Capability Key Metrics Risk Level Trend Comments
Metric Value Metric Value
Cybersecurity Visibility % of GDPR systems with logs

ingested for monitoring 100% 100% L
& Monitoring
% of SOX systems with logs ingested

for monitoring 100% 100% L
# of sites with OT monitoring

operationalised 60 60 L
Email Monitoring % of spam and malicious emails

blocked 83% 79% L
% of malicious emails blocked 15% 23% L
% of spam emails blocked 66% 56% L
Number of high priority alerts 153 38 L
Overview
Total number of cyber tickets

(including confirmed cyber incidents) 230 281 M
# of P1 cyber incident MTD

(Incidents by Urgency) 0 0 L
# of P2 cyber incident MTD

(Incidents by Urgency) 0 1 L
# of confirmed P3 and P4 cyber

incidents MTD 9 1 L

BU Risk Report: Option 1 & 2
Typically these slides are targeted at senior business stakeholders (EGMs), with These reports have four possible areas that can be covered based on the
the intent, the business takes ownership of their respective security risks. maturity of the organisation and the security function –
1. Behavioural / cultural metrics such as training completion, phishing

results, password strengths, hygiene of foundational security controls.
2. Exceptions and exemptions related to policies or standards such as USB

exceptions or internet access bypass or exceptions related to background
checks or suppliers.
3. Security risks and maturity of controls, these include findings, issues and
risks from audits and security risk assessments.
4. Security incidents such as data breaches and physical security breaches.
These reports need to have consistent data sources underpinning them or else
the veracity of the report will quickly become the focus rather than the focus
on improving the risk profile position.

BU Risk Report: Option 1 - Business reporting dashboard
Uncontrolled internet
BU Name Security Training USB read / write Local admin Phishing simulation Password strength Actions
access
Dec 2021
42 423 160 4
A Report 50%
Submit 1% 34%
Clicked
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 66%
45
B Report 19%
1 23
Submit
Executive dashboard
- - - - - - -
Clicked
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20
81%
C 62 3 9 11 Report 19%
2 8 36%
- - Submit 1%
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Clicked 1%
64%
Sep-20 Oct-20 Nov-20
8 8 8 26 26 86 34
D Report 42%
24 28%
82 82
4
Submit
-
Clicked 5%
Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 Sep-20 Oct-20 Nov-20 72%

BU Risk Report: Option 2 - Business reporting dashboard
Metrics Target BU A BU B BU C
1 Externally perceived change in cyber security risk (%) <2.5%

Threat
2 Published critical vulnerabilities applicable to critical systems( #) <10

3 Material internal security incidents since the last reporting period(#) <1
1 End user computers protected against malware (%) >97%
2 Critical applications and security services covered by security monitoring (%) >95%
3 External customer facing services with Distributed Denial of Service (DDoS) protection (%) >95%
Controls
4 Malicious email protection effectiveness (%) >97%

5 End user computers covered by Data Loss Prevention (DLP) software (%) >95%
6 End user computers with appropriate web access filtering (%) >95%
7 Firewall coverage across external network perimeter (%) >95%
8 Intrusion Prevention with up to date protection (%) >95%
1 Critical / High patches applied to highly vulnerable and high impact operating systems (%) >97%
2 Critical / High patches applied to highly vulnerable and high impact application and middleware systems (%) >97%
3 Highly vulnerable and high impact servers configured securely (%) >97%
Hygiene
4 Critical applications with completed user access reviews (%) >95%

5 Privileged accounts with Privileged Access Management (PAM) controls (%) >97%
6 Employees who acted appropriately during simulated social engineering campaigns (%) >90%
7 Applications with highly protected data with masking in non-prod environments (%) >90%
1 Security Tier 1 and Tier 2 suppliers receiving a GREEN or AMBER rating in the last assessment (%) >95%
Assurance
2 Projects which introduced high issues into Production (#) <1
3 High and Medium long outstanding issues tracking RED (#) <1

Appendix
Deep Dive - Our People’s Cyber Awareness | People have the right systems access
Awareness and training provides Company ABC personnel with the ▼ Authorised people can access our systems and our critical
▲
education to meet their cyber security related responsibilities systems are subject to additional controls
RAG and RAG and

Trend Trend
Percentage of administration
Percentage of users who completed
CA.1
mandatory cyber training on time 89% 89% 100% RSA.1 accounts in Privileged Access 71% 71% 100%
Management solution
Percentage of administration
CA.2 Phishing resiliency rate all employees 2.5 0.24 5 RSA.2 accounts with completed access 100% 100% 100%
reviews
Percentage of general user accounts

CA.3
Phishing resiliency rate targeted areas
of improvement - - 5 RSA.3
with completed access reviews
87% 87% 100%
CA.2 January 2021 phishing campaign had a high click rate (11%) and low reporting rate (3%) Divisional presentations on the importance of taking action
RSA.1 Administration account passwords are more vulnerable More frequent re-certification of accounts

Deep Dive - Technology Asset Management | Perimeter and Endpoint Security
Ensuring we know what out technology assets are so we Perimeter and Endpoint Security proactively
▲
can ensure they are not vulnerable (servers, laptops, software etc.) protects AusNet Services from a cyber attack
RAG and RAG and

Trend Trend
Percentage of major technology Percentage of mobile phones with

TAM.1
changes with a security review
96% 96% >95% PES.1
management software
- - 100%
Percentage of legacy operating Percentage of internet facing

TAM.2 systems with compensating 100% 100% 100% PES.2 applications with web firewall x% x% 90%
controls. protection
PES.1 Included in metrics with project to enable in FY22

Deep Dive - Vulnerability Management | Monitoring and Incident Response
Vulnerability management proactively mitigates or prevents the ▼

exploitation of technology vulnerabilities in our systems Monitoring for, and responding to cyber security incidents ▲
RAG and RAG and

Trend Trend
Number of open Critical or High

Highest No of hours from declaration
VM.1 vulnerabilities affecting Corporate 222K 221K 500 IR.1
to containment of a P1/P2 incident
67 5.5 <72
assets
Number of open Critical or High Percentage of P1/P2 cyber security

VM.2
vulnerabilities in Operational assets
1008 1009 200 IR.2
incidents with post-incident review
100% 100% 100%
Number of overdue Critical or High Number of hours to investigate P1/P2

VM.3
vulnerabilities in Corporate assets
222K 221K 0 IR.3
rated alerts
- 3 24
Number of overdue Critical or High Average time it takes for users to

VM.4 vulnerabilities affecting Operational 1008 1009 0 IR.4
report phishing emails (in hours)
1.82 1.82 <4
assets
Percentage of Corporate devices up to Percentage (%) of critical system logs
VM.5 date with critical operating system 74% 97% 90% IR.5
with monitoring enabled
92% 92% 95%
security patches
VM.3 Vulnerable to a cyber breach In-flight project to assess and plan in place for FY22 remediation
Vulnerable to a cyber breach

VM.4Standardised Executive Reporting, 2022 Slide communication
Policy 25 and governance process to be implemented
Deep Dive - Disaster Recovery | Third Party Cyber Risk
Disaster recovery includes backing up and restoring systems and Providing assurance to our business that our partners are managing
▲
integration between cyber security and emergency management cyber security risk
RAG and RAG and

Trend Trend
Percentage of critical applications Percentage of third parties that have

DR.1 with completed DR test in previous 98% 98% >95% TPCR.1
been classified in terms of criticality
34% 46% >90%
18 months
Percentage critical-rated third parties

Percentage (%) of Table Top
DR.2
Exercises completed as planned 100% 100% >90% TPCR.2 which have been security risk 75% 77% >90%
assessed
Percentage (%) of planned SPIRACS Number of open high risk findings

DR.3
Exercises completed 100% 100% 100% TPCR.3
related to third party cyber security
2 1 0
TPCR.3 Vendors are not compliant with our policies Review contract terms with finance/procurement

L Low No Change

H High Deteriorating
G Security Effectiveness monitors the effectiveness of implemented security controls Reporting Period: 1st to 30th “month” “year”
Current Previous
Top 3 confirmed cybersecurity incidents by Category
Cybersecurity Incident Confirmed incident – Data Mishandling 1 1 L

Overview
Confirmed incident – Phishing 2 0 L
Confirmed incident – Malware 2 0 L
Top 3 cybersecurity incidents by NIST Attack Vector – Intent: To further drive the Cyber Threat Intelligence capability and help determine focus areas for Cyber Operations
Cybersecurity Incident by NIST Attack

Vector – Improper Usage 25% 0% L
Overview
Cybersecurity Incident by NIST Attack
Vector – Email 13% 100% H
Cybersecurity Incident by NIST Attack L

Vector – Other 38% 0%
Technical Security Total TSA completed MTD 46 66 L

Assessment (TSA)
# of TSA completed with Findings 8 6 L
# of TSA without remediation plans 2 2 L
# of TSA under Cybersecurity Risk Review 51 46 M
% of new technology projects went live 0%

without meeting cybersecurity requirements No data provided L

L Low No Change

A Security Hygiene monitors vulnerability and patch management within technology environment, and workforce access management Reporting Period: 1st to 30th “month” “year”
Current Previous
Privileged Access % of privileged users on-boarded into

PAM solution to date (IT) 99% 98% L
Management
# of users with privileged access in IT 3,157 3,084 M
# of privileged global admins in 0365 10 10 L
Average time taken to disable

privileged user AD accounts 0.5 hour 0.5 hour L
Vulnerabilities # of open Critical vulnerabilities 100,000 20,000 M

Management
# of new Critical vulnerabilities
identified this month 30,000 50,000 M
# of Critical vulnerabilities
remediated 20,000 60,000 M
# of open High vulnerabilities 500,000 400,000 M
# of new High vulnerabilities

identified this month 150,000 100,000 M
# of High vulnerabilities remediated 150,000 120,000 L

L Low No Change

A Security Hygiene monitors vulnerability and patch management within technology environment, and workforce access management Reporting Period: 1st to 30th “month” “year”
Current Previous
Vulnerabilities # of critical and high vulnerabilities

identified from ethical hack 3 3 L
Management
# of critical and high vulnerabilities
identified external facing assets 7 6 L
Patching Management Total number of end of life/ end of

support devices that are not patched 1,198 1,758 H
Breakdown: Total number of end of

life/ end of support devices that are 66 99 H
not patched – CORP

life/ end of support devices that are 810 1,178 H
not patched – APAC

not patched – LATAM

not patched – NAMERICA
Cloud Security Total cloud security

misconfigurations - AWS 189 358 H
Total cloud security

misconfigurations - AZURE 60 68 M
Total cloud security

misconfigurations - GCP 52 52 M
Shadow IT instances 2 2 L

L Low No Change

A Security Readiness monitors the current state of security assessments, audit management actions and incident response capabilities. Reporting Period: 1st to 30th “month” “year”
Current Previous
Endpoint Security Total number of endpoints connected
to IT network 196,398 196,390 L
Total number of endpoints connected

to OT network 122,736 122,618 L
% of IT user endpoints meeting AV

compliance status 98% 98% L No significant changes since October.
% of OT user endpoints meeting AV L

compliance status 91% 92% No significant changes since October.
% of IT servers meeting AV
% of OT servers meeting AV
Critical Systems % of systems not assessed for

Readiness criticality (CIA) 49% Data not provided M
Number of critical systems 206 Data not provided M
% of critical systems that have SCM

88% Data not provided M
plan in place
% of critical systems that have M

completed SCM testing 77% Data not provided

L Low No Change

A Security Readiness monitors the current state of security assessments, audit management actions and incident response capabilities. Reporting Period: 1st to 30th “month” “year”
Current Previous
Audit Management # of open Technology

audit actions 2 2 L
Actions – Technology
# of open Technology
audit actions <3 months (not including 0 2 L
overdue)
# of open Technology audit actions >3

months 0 0 L
# of incomplete and overdue

Technology audit actions 0 0 L
# Technology audit actions due next

month and not yet started 0 0 L
# of repeated Technology
audit findings 0 0 L
Average time to resolve P1 incident 0 0 L
Response
Average time to resolve P2 incident 0 0 L
Average time to resolve P3 and P4

15 days 12 days M
incident
Average time to detect a potential

incident 12 minutes 86 minutes L
# of Cyber Incident Response testing

completed to date 0 0 L

L Low No Change

G Security Culture monitors cyber awareness of workforce, security compliance, and supply chain cyber risk Reporting Period: 1st to 30th “month” “year”
Current Previous
Cybersecurity % of Cybersecurity & Corporate

controls that are compliant 97% 97% L
Regulatory Compliance
Deviations L
Total deviations submitted MTD 60 50
Management (Compliance
to Cyber Standards) # of critical and high-risk security
deviations approved MTD 21 5 M
# of critical and high-risk security

extensions approved MTD 3 0 M
Cybersecurity % of links clicked during Phishing

Campaign 5% 7% L
Awareness & Training
% of phishing emails (simulation)

reported during Phishing Campaign 46% 49% M
% of employees completed
cybersecurity training (Technology 34% 97% M
only)
Accenture – 21% Accenture – 97%

% of cybersecurity training completed
by third-party
Cognizant – 32% Cognizant – 90% M
Infosys – 36% Infosys – 84%
Third Party Cyber Risk % of high-risk contracts that did not
perform TPCRM 0% 0% L
Management (TPCRM)
# of open high-risk findings from

TPCRM 0 1 L

Frequently Asked Questions
Question Answer
Why do we have a limited set of KRI’s that The KRI list is based on what the board has the highest interest in, these days it is phishing, but for different boards it could
are phishing related in the KRI list, surely be different topics, and this list should be customised based on the requirements of the individual organisation.
there are other KRIs that are important ?
How can external threat and incident data The CISO Lens community already has a template for reporting external incidents, their root cause and controls that your
be captured ? organisation has in place to protect against a similar type of attack.
For a security business that is less mature, If your business has low maturity and has a transformation program in place to achieve desired maturity, it is
what is a suggested set of templates that can recommended that either of the Level 0 Options 1 or 2 be used. This can be underpinned by Level 1 Security dashboard,
be used ? starting with a smaller set of metrics, building out to a more detailed list as the function matures.
Are these metrics relevant for outsourced Yes the metrics and reporting are relevant for whether you have an insourced, hybrid or outsourced function, however
arrangements as well ? further work is recommended in baking in the metrics the KPI’s for a managed service provider so come of them become
mandatory (especially the ones linked to basic hygiene).
Why are project related metrics not The expectation is that every security team will have some form of transformation programs / projects and given these
included in the dashboard ? may be informed by central project management office functions, these have not been included. Besides the project
delivery metrics are usually standardised around scope, time and cost.

Andy Chauhan www.cisolens.com
andy-chauhan-23861b benchmark@cisolens.com
This report was authored on behalf of CISO Lens by Andy Chauhan.

Standardised Executive Reporting - PUBLIC - 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Standardised Executive Reporting - PUBLIC - 2022

Uploaded by

Copyright:

Available Formats

An industry report from the CISO Lens community

Our thanks to Andy Chauhan for creating this series of templates.

Standardised Executive Reporting, 2022 Slide 2

This document provides some templates for standardised executive

Standardised Executive Reporting, 2022 Slide 3

Option 4 (L2:O4) (Slides 17 & 18)

Standardised Executive Reporting, 2022 Slide 4

Target audience Context

Standardised Executive Reporting, 2022 Slide 5

Data - Loss of confidential data H M

People - Employees maliciously or accidently expose company to a

Total Opened Closed Raised

Standardised Executive Reporting, 2022 Slide 6

systems. We have now received Current Risk Target Risk

4 # of material security incidents 0 0%

People - Employees maliciously or accidently expose company to a

Physical - Unauthorised physical access to company site (incl. loss, H L

Standardised Executive Reporting, 2022 Slide 7

Standardised Executive Reporting, 2022 Slide 8

Level 1: Option 1 - Security Status Dashboard – Dec 2021 Improving

ABC is disrupted or compromised from a 1 Security Risk and Governance Threats

Standardised Executive Reporting, 2022 Slide 9

Standardised Executive Reporting, 2022 Slide 10

RAG and RAG and

Percentage of cyber security Number of mandatory data breach

Percentage of cyber security

Number of security exemptions

Number of open cyber risks rated as

CRG.5 Number of overdue audit findings 1 0 1

Ref Key Risks/Issues Mitigation Strategies/Action Plans Owner(s)

CRG.4 Risk data is being reviewed and framework refreshed

Standardised Executive Reporting, 2022 Slide 11

Percentage of new staff with

Percentage (%) of sites with no Percentage of existing eligible staff

Ref Key Risks/Issues Mitigation Strategies/Action Plans Owner(s)

Standardised Executive Reporting, 2022 Slide 12

Workstations % Employees exempt from USB restrictions G: <2%, A: 2% - 5%, R: >5%

% of customer data encrypted as per standard G: >85%, A: 65% - 85%, R: <60%

# of mandatory data breach exceptions 0

Servers % servers with scanning coverage G: >95%, A: 90% - 95%, R: <90%

% OS resources patched/compliant % Internet facing 100%

Servers OS resources patched/compliant % Servers G: >95%, A: 90% - 95%, R: <90%

Infrastructure % OS resources patched/compliant % Network Devices G: >95%, A: 90% - 95%, R: <90%

Target audience Context

Standardised Executive Reporting, 2022 Slide 14

This page left intentionally blank

Standardised Executive Reporting, 2022 Slide 15

Target audience Context

Standardised Executive Reporting, 2022 Slide 16

Rolling 3-Month Trend

Feb G A A G l Deteriorating  Off Target (10%+)

G Security Effectiveness A Security Hygiene A Security Readiness G Security Culture

Standardised Executive Reporting, 2022 Slide 17

Level 2: Option 4 - Detailed control dashboard M Medium Improving

Cybersecurity Visibility % of GDPR systems with logs

% of SOX systems with logs ingested

# of sites with OT monitoring

Email Monitoring % of spam and malicious emails

% of malicious emails blocked 15% 23% L

% of spam emails blocked 66% 56% L

Total number of cyber tickets

# of P1 cyber incident MTD

# of P2 cyber incident MTD

Feb G A A G l Deteriorating Off Target (10%+)