Skip to content ↓ | Skip to navigation ↓

In the first article in this series, we discussed a little about Understanding Attack Surface Analytics, and in the second installment we discussed Understanding What Constitutes Your Attack Surface. This article will explore strategies for effectively communicating attack surface analytics.

Executive leadership (including the board member) is not typically interested in operational security details such as answers to questions about specific security control metrics. This information is too detailed and will be viewed as “noise” by those outside the IT and security teams.

In many organizations, executives really don’t care about security risks, but they are required by law to be informed of a significant security breach through regulations, standards of ‘due care’ or because of the fiduciary responsibility.

Instead of endless spreadsheet graphs and technical jargon, they want credible information about the organization’s security posture over time that provides a frame of reference for trends indicat­ing directionality. Eventually, this type of index could be used for competi­tive comparisons across organizations, business functions or processes.

It’s also important to note that cred­ible information is very different from an opinion. The informed impression is supported by verifiable facts. CFOs are asked for this type of information constantly (and they will often just deliver it verbally on the fly) particularly when the underlying financial frame­works (such as GAAP analysis) are already understood by executives.

Over time, they have developed trust with the executive leadership team. Being able to back up the impression in a factual, convincing manner is one of the key ways to build trust with non-technical executive leadership.

As a CISO, you’ll want to demonstrate how your group’s activities protect and enable the organization. And you’ll need to communicate that in ways that non-technical executive teams can understand.

Ultimately, ASA technology can allow visibility and communication of security status through the lens of factual and actionable business context, suitable for consumption by executives.

In short, CISOs need what CFOs have—a framework of solid, well-understood metrics that make it possible to inform business and risk decisions by non-security executives. Further, this framework and these metrics will also enable the business to improve understanding and a shared accountability for security results.

The challenge with communicating to non-technical executives is often how to distill the mountains of security control data your team manages into a meaningful visualization. Ideally, you’ll limit yourself to one or two slides, and be able to meaningfully communicate (without jargon) this to non-technical executives within 5–15 minutes.

For more information, check out the whitepaper Understanding Your Attack Surface: The First Step in Risk-based Security Intelligence, and feel free to contact me at


Related Articles:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service  for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock