In the face of a growing and changing cyber threat landscape, information security professionals should ensure they are continually providing meaningful metrics to the business to ensure that security is constantly on the radar of executives. This is the advice of Brian Honan, founder and chief executive of BH Consulting ahead of Info Security Europe, 2-4 June 2015 in London. 
According to Honan, metrics can include the proportion of staff that have completed security awareness training, the proportion of mobile devices that are encrypted, the number of security incidents, the mean time to resolving security incidents, and how these metrics are trending over time. 
However, Honan also warns that metrics alone are not enough to show how well a security programme is working. These metrics need to be tied to other metrics that are having an influence on the business, such as a planned acquisition or product launch. 

Role of standards
According to Honan, the ISO 27001 information security standard provides a useful way of understanding potential deliberate and inadvertent risks to information security in a business.
According to Honan, the standard has been useful in helping to engage the business, but it is key as an information security professional to understand the business you are dealing with. One industry sector is not necessarily concerned about the same types of risk as another, which means that when talking to a business, it is important to understand what risks it cares about.

Better understanding of the business 
Understanding the business better makes it easier to communicate the impact of particular security threats in a much more relevant and effective way. It is also useful to talk to managers to find what they are struggling with from a security point of view. For example, sales teams may be finding security too cumbersome for accessing systems remotely.
Honan said, “when people find security too difficult, they try to go around by copying data onto USB sticks or private cloud storage, which has huge risk implications for the business”. Honan has worked with one sales manager to propose an enterprise cloud-based customer relationship management system. Another business has adopted and rolled out to the entire business a cloud-based email service because it was secure, easier and less expensive. This is an example of a project driven in partnership with a business unit with security seen as an enabler rather than an inhibitor.

Engaging the board and C-level executives
Another useful way for information security professionals to engage with the board and C-Level executives is to demonstrate how cyber criminals are attacking every business size and type. Organisations need to understand that all organisations are now targets, not just banks and payment processing companies as most people believe. Cyber criminals are not just after financial data but also personal data of employees and customers, as well as hijacking IT infrastructure for criminal use. Most organisations are not aware that cyber criminals could hijack their IT system as part of criminal botnet infrastructures for things like distributed denial-of-service attacks. 
Boards may also need to be made aware that because of all the personal data their company holds, they have personal legal obligations for ensuring it is protected adequately. Honan believes that information security professionals can help board members to understand their obligations form a regulatory compliance, governance and even ethical and moral point of view. He thinks information security professionals should be proactive about engaging with the business and demonstrating the potential value of security to achieving long-term business goals.
By taking the initiative and engaging the business regularly and consistently, executives will quickly learn what is important to them and what questions they should be asking. Honan is taking part in a panel discussion, ‘Dear executives, parlez-vous security’ during Info Security Europe, marking an important step towards better understanding and concrete action.