When presenting to the board on security, which are more impactful: leading indicators or trailing indicators?

Security Strategy & Roadmap KPIs, Metrics & Reporting

897 views3 Comments

Sort by:

Senior Manager - IT Governance in Healthcare and Biotech2 years ago

Both lead and lag indicators serve a purpose...reliance on only one could skew the picture. I believe a balanced approach to be more beneficial...show a bit of both (learn from the past to inform the future, and learn from environmental analysis to inform decisions)

Director of IT in Education2 years ago

Leading indicators are more impactful to the board, showing the security measures implemented and the effectiveness, by showing security metrics results. Trailing indicators can show the contrast of security in place currently against the past.

Founder/Chairman/CTO in Telecommunication3 years ago

Leading indicators versus trailing indicators is the biggest thing in the private space, which is where I have all of my experience at this point, so there's a bit of bias there. But boards are looking for leading indicators. If you're talking about trailing indicators, they're useful in as much as they confirm a thing that you planned to do in the past, so it's attainment to target. For example, let’s say you wanted to implement MFA and have 99% usage across the organization. You slated that for Q1 and hit the target early in terms of proactively rolling forward and hitting these projects on time, on budget and to plan. The more of that stuff you can surface, the better.

Content you might like

How are you addressing technical debt risk resulting from AI coding tools? Have you established specific processes to manage vulnerabilities in AI-generated code, and are you collaborating with software engineering or other teams using these tools?

How does your organization handle security team involvement in change requests submitted to CAB/RAB — specifically in relation to formal security review and approval?

Always required – Security must formally review and approve every change request.

Required for security-impacting changes – Security reviews only changes flagged as having potential security implications. Please comment : Who decides which changes require security review and which do not ? Is this determination manual or automated? How do you avoid gaps or oversights in this process ?100%

Not required – Security does not review changes submitted CAB/RAB by other teams.

Risk-based or automated – Security involvement is determined by a tiered model or automated risk scoring within ITSM.

View Results

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

We are on the cusp of conducting a pilot of AI tooling - we intend to use Gemini & CoPilot, providing training, guidance & policy to our user group. Before we start we should conduct a risk assessment - my question is: can you recommend a tool or template?

Lines of business other than IT should give input on how the security awareness & training program is designed.

Strongly agree11%

Agree69%

Neutral14%

Disagree3%

Strongly disagree