Cybersecurity pros interested in metrics and measures frequently ponder and pontificate on what measures would be best to show the board of directors. That can be a tricky proposition because \u201cwe have to speak like the business\u201d is also a mantra. Coming up with cybersecurity metrics from a business perspective can be a challenge. So how can we solve this problem and provide useful insight?Well, first we have to recognize that the board level is the highest strategic level in the company. If you provide metrics on patch status and phishing test results, you are essentially admitting that your cybersecurity program is built on a few hodge-podge activities and a prayer.Cybersecurity pros often malign the \u201cred-yellow-green\u201d types of indicators, but keep in mind that the board doesn\u2019t need technical details or variances. If they can get by with \u201csales per square foot\u201d metrics in retail stores that sell smartphones and candy bars or \u201cbed utilization\u201d measures for hospitals that treat dehydration and conduct brain surgery, they can work with \u201cbigger picture\u201d scales on three to five levels. \u201cRed-yellow-green\u201d isn\u2019t completely out of the question as long as the levels are defined and have details that explain them. The bigger challenge now is that board members are increasingly becoming liable for negligence, and they really should and do want more insight. \u00a0Top cybersecurity questions from corporate boardsNow we revert to where we started \u2013 trying to provide business-oriented board members with technically oriented cybersecurity data at a strategic level. It may be helpful to set a baseline of what board members really want to know about cybersecurity in any company. Here are their top five questions:Are we secure? This question is the bane of many a cybersecurity pro\u2019s existence because the answer now and always will be \u201cno\u201d from a literal 100% protection standpoint. If we rework the question to \u201cwhat is our exposure level?\u201d we can start to make headway.Are we compliant? This question is often easily answered with audit results but may provide no real comfort due to its \u201cpoint-in-time\u201d perspective that can change at a moment\u2019s notice. Better to assess our cybersecurity program using a control framework.Have we had any (significant) incidents? Board members will be well-aware of any significant incidents, so this question is usually answered with details as well as estimates regarding costs and potential liability.I said there are five questions, but the three above are the ones that are typically articulated. These final two are implied as a standard element of good board management:How effective is our security program? Quality first.How efficient is our security program? And then quantity.Cybersecurity metrics for corporate boardsAs we build out our program, our goal should be to directly translate the most detailed technical data into a strategic framework that is understandable at the business level. We should also factor in the fact that board members are not stupid, and they can learn anything they need to that helps them make strategic decisions. Technology is taking over their lives just like ours, and with the entire world going through digital transformation, it has been amazing how easily they have picked up SaaS metrics as needed.We are going to work with metrics on:IT assets (number of users, devices, servers, apps, etc.)Usage activity (sessions, flows, messages, etc.)Process controls (user account create\/modify\/delete; vuln detect\/patch, incident detect\/respond, etc.)Real-time (inline) controls (antimalware, firewall, email security, etc.)IncidentsHere is a good core set of board metrics that provide strategic insight into the enterprise cybersecurity program:Cyber risk: the percentage of inappropriate usage activities out of all usage activitiesCybersecurity efficacy: percentage reduction in cyber risk provided by the real-time cybersecurity controlsCyber exposure: average number of usage activities per IT assetCyber resilience: average number of real-time controls applied for each usage activityRisk aversion ratio: the willingness to accept productivity impairment (e.g., password failures, false positives) compared to the malicious activity allowed or denied (true positives plus false negatives)In addition, we need to factor in costs and value. After all, financial information is the lingua franca of the business world:Loss to value ratio: spending on cybersecurity including incident losses compared to financial value provided by IT assets.Control cost per IT asset (probably application): allocated costs of cybersecurity controls by IT assetRisk reduced per unit cost: financial value of reduced risk compared to total cybersecurity spendingLook at the board proceedings and earnings call transcripts for publicly traded companies, or even the vast number of financial ratios on your favorite investing websites, and you will see that the metrics described above are at a much more appropriate strategic level than the mishmash of patch levels and malware found.If we want executives to take cybersecurity seriously in the enterprise, this is the way to get there.