Cybersecurity KPIs for your board of directors

cyber security

Boards may not always be confident in understanding the right metrics to use to determine whether their organisation is adequately protected against cybersecurity threats. Here are five of the most significant key performance indicators (KPIs) that they should bear in mind. 

1. Detected intrusion attempts 

A strong cybersecurity infrastructure that is capable of responding to threats quickly and effectively can be even more important in protecting your organisation than mechanisms that attempt to keep intrusion attempts from occurring at all. 

Gathering data about the total number of intrusion attempts your organisation receives during a particular month, quarter or year – and tracking these results over time – gives you a clear indication of how well your cybersecurity system is blocking them. It also lets you know if your cybersecurity program improvements move the needle on reducing threats. 

2. Patch response time 

Cyberattacks often happen very quickly, which means that every second is crucial when it comes to identifying and responding to intrusion attempts. Although security patches do not necessarily provide a permanent resolution, applying them as quickly as possible plays a vital role in minimising the damage that your organisation or customers may experience in the case of a data breach or a DDoS, phishing or other type of cyberattack successfully penetrating your cybersecurity system. 

Patching cadence refers to the frequency with which you check your systems, networks and applications for updates. Patch response time is graded on an A–F scale. Routinely evaluate the grades your patching cadences receive to determine how likely your system is to be effective if a cyberattack occurs and identify areas that are most in need of improvement. 

3. User access levels 

Not every member of your organisation should have access to all of your organisation’s data; it is rarely necessary for your entire board of directors to have full access to all your programs, passwords, customer information and other sensitive data. Carefully consider who needs to have access each type of information to effectively manage their responsibilities, and secure your user access levels by limiting individuals’ access to that which is necessary to perform their duties.

Board members need access to the right information to fulfil their roles, but not all board members need the same level of access. In many industries, board members complete an annual questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics.

Assign appropriate positions to board members to give them access to what they need to succeed — no more and no less.

4. Backup cadence 

Even the strongest cybersecurity program can be breached. Having an adequate backup system in place before you need it, and continuously evaluating its effectiveness, is an important step in reducing the level of damage your organisation is likely to sustain if you do experience an intrusion. 

Although the hope is that your backup will not need to be used as frequently as other aspects of your cybersecurity system, ensuring that you have the right backup cadence (the interval at which you make a backup of your system), defining goals for its strength and being diligent about regular evaluation can go a long way towards protecting your organisation if your primary system fails. 

5. Vendor security rating 

Any vendor or other third party your organisation works with has the potential to inadvertently or intentionally become a cybersecurity threat. Your board of directors must carefully evaluate each program you are considering using or company you might want to work with to determine whether they take adequate cybersecurity measures to protect their partners. 

To improve your third-party risk management (TPRM) decisions, determine minimum vendor security ratings that partner vendors must meet before your organisation will work with them.

Establishing cybersecurity metrics

Effective cybersecurity metrics must be based on solid data. Evaluating information you have about current threats and responses, and assessing how these details can help you make improvements, makes your overall cybersecurity program more successful. 

Improve board effectiveness with OnBoard

A quality board-management software program can be a helpful tool for keeping track of your KPIs and other data related to your cybersecurity measures in one place, as well as organising nearly every other aspect of boardwork, including planning effective board meetings. 

OnBoard’s purpose-built board portal features range from agenda creation and meeting analytics to secure messaging and risk and compliance tools, and our enterprise-grade security architecture adds another layer of protection to your overall cybersecurity infrastructure. 

If you want to compare board security features of different platforms to find the right one for your organisation, check out our free Board Management Software Buyer’s Guide.

Frequently asked questions (FAQ)

What are the steps for presenting cybersecurity to your board?

Presenting cybersecurity measures in a way that resonates with your board is not always easy, but it is an important step in making sure everyone is on the same page when it comes to protecting your organisation. Some of the most important steps for doing this include:

  • Clearly identifing potential risks your organisation faces
  • Suggesting specific strategies for fixing those vulnerabilities
  • Identifing standards or KPIs that can let you know if measures are performing well 
  • Establishing a culture of cybersecurity within your organisation.
What questions should a board ask about cybersecurity?

Knowing what topics your board of directors should be discussing is a crucial step in addressing the right issues and avoiding gaps in your cybersecurity coverage. Some of the most important questions your board should ask when planning and evaluating your cybersecurity measures include:

  • What are this organisation’s most important or sensitive assets? 
  • What steps are we currently taking to protect them? 
  • What aspects of our cybersecurity program are working well, and which ones are most in need of improvement? 
  • How do we know if a data breach, intrusion or other cybersecurity problem has occurred? 
  • What will our board do, both immediately and over time, to solve the problem if a cybersecurity issue does occur? 

To learn more about OnBoard, get in touch today!

OnBoard are sponsors of Governance Ireland 2023, the CGIUKI annual conference for all governance professionals in Ireland. This year the conference will take place at the Printworks, Dublin Castle on Tuesday 30 May 2023. Find out more and book your ticket.

Sponsored by

OnBoard logo

ESG Summit: 2 May 2024 Download this year's course catalogue Introduction to Corporate Governance Engage Governance podcast series Essentials of ESG: Pathway to Good Governance Join our upcoming training for governance professionals

Search CGI