How we report information security metrics to boost our view of risk

Good metrics and measurement of an organization’s security posture help keep the CISO and senior leadership informed about cybersecurity. The insights help leaders see where risks lie, and metrics help keep people accountable.

As I have written previously, at Accenture, we use metrics to measure the security of our technical infrastructure, our cloud, our client engagements, our acquisitions, and many other things. These metrics form a core part of my conversation as Accenture’s CISO with senior leadership.

With so much data available these days, it’s easy to share too much data or a scorecard that is too dense. Find the right balance with your audience so they see the insights, not just data. Help them understand what the most important risks are, and how they should be thinking about them.

Over the years, our internal Information Security organization has honed the metrics we capture and condensed that data into well-structured reporting. It’s no small feat in an organization as large and complex as Accenture—and it is a continually evolving exercise. We are currently moving toward more consistency across Accenture in how metrics are captured and presented.

Today, two monthly reports support my conversations with Accenture leaders. Each report tracks a set of core key performance indicators (KPIs) to measure information security across the business and to drive accountability for protecting Accenture’s environment and the client data to which we are entrusted.

Executive Action Report

This report provides seven core security KPIs across three Accenture market units and five services and is delivered to the responsible senior leads. They receive data specific to their organization to generate awareness of their unit’s information security posture and to drive accountability for risk remediation and resolution.

This report has served us well, but we’re taking it one step further to make the metrics more uniform and support a bottoms-up, not top-down reporting tool. We’re striving for a consistent approach across our Information Security teams to measure risk more similarly and to apply the same approach to commentary criteria and messaging. The goal is to have consistency in how I report Accenture’s security posture.

One new simplification is “critical actions” and “asks.” These are expressed in words versus numbers to highlight the actions impacted leads need to make. The aim of evolving the Executive Action Report is to get the right message to the right people at the right time to take necessary action.?

OneScore

OneScore came about as a result of our most senior leaders asking me to deliver a single score to keep them informed on Accenture’s current security metrics and posture and to provide insights into potential security risk areas. The beauty of this report is in its easy-to-understand simplicity.

OneScore involved weighting our risk areas including client data protection, acquisitions integration, supplier cyber risk, technical hygiene, incidents, and other information security controls, summarized numerically. The data is now included in Accenture’s quarterly state of the business reporting.

Metrics matter

Business metrics matter. Leadership should hold the security function to the same level of reporting against business metrics as other business areas. Information security metrics enable leaders to gain an overall view of risk, helping raise awareness and understanding what the most important ones are. The insights are intended to reduce the chance of a cyberattack.

In addition, in the case of security oversight at Accenture, I also work closely with our Internal Audit and Enterprise Risk Management groups to assess parts of the business and identify enterprise-level risks as well as the overall enterprise risk of information security. We also are attuned to cybersecurity ratings companies’ security ratings to help steer us in focusing on key security risks (and giving confidence to our clients.)

Addressing risk—in information security and enterprise-wide—is a necessary business activity, especially given the ever-changing cyber threat landscape of today. The work is made easier with clear and concise metrics.

Are your security function metrics reviewed by your organization’s leaders? Providing the insights they need? I’d like to hear about it. Let’s share what we know to secure what we must.