Today, we witness an increasing number of cyber incidents across all industry domains. Boards of directors and senior management are educating themselves on their organization’s risk exposure to these cyber-related issues. Boards also are seeking a better understanding of the potential for cybersecurity initiatives to enhance their company’s strategic operations. Many board members have questions for their security staff such as, “How secure are we from a particular threat?” or “Can you promise me we won’t be the next [hacked company]?” Security professionals need to be able to answer these questions and help board members understand that cybersecurity does not control the threat landscape facing the company. Instead, the purpose of a mature cybersecurity program is to provide the business with a platform to manage its risk environment.
A company’s senior management is often responsible for the development of a clear, concise strategy to address threats and vulnerabilities to cyberattacks. The chief information security officer (CISO) is expected to have technologies and security controls in place that reduce the organization’s risk, as well as processes to monitor the effectiveness of the security program. It is standard best practice to use a risk management framework, such as NIST CSF, ISO 27001 or COBIT 5, as a platform to establish the current risk baseline. With this platform, selected metrics are chosen as real-time measuring devices to provide visibility into the value being provided to the company.
Security leaders must understand and embrace metrics as critical tools to tell their story about value. There is no specific template for what should be measured with metrics; every company’s business environment is different. I would recommend, however, that metrics be reported to senior leadership in the guise of a narrative, using the metrics to explain how the security services support the organization and its strategic objectives.
Some primary considerations for creating this story with metrics are as follows:
- What is its purpose? Metrics should support a business goal. Connecting metrics to the business will help to prioritize resources more efficiently.
- Is it controllable? For metrics to have worth, they must demonstrate that specific goals are being met. So, metrics should measure processes and outcomes that the team controls.
- What is the context? Don’t take the results of a security tool and call it a metric; it must have meaning. Ask questions such as, “why are we collecting it, what story does it tell?”
- Is there an understanding of what “good” is? Know the target value you want to achieve and the actions you want to take based on that amount.
- Is it quantitative? A quantitative value can be compared and demonstrate trends.
- How trustworthy is your data? The data used to create a metric should have a high level of accuracy, precision, reliability or
- Is it easy to process and analyze? The data should be collected, processed and posted to a central collection point. It should not take a long time to prepare and report your metrics. For example, if metrics are used in a weekly report, it should take two to three days to collect, process and post the received
The above recommendations help security leaders identify data and services to build the metrics they need. It is important to remember that the businesses environment will influence what data is collected to form these metrics. These metrics also will be dependent on the technologies deployed as part of the security platform; security controls and contracts for security services provided to the company.
A good example of performance-based metrics is “Reduce desktop remediation time from 6 hours to 4 hours by <date>. Another metric that could be used to measure the number of servers needing critical patches; “Improve the number of fully patched servers from <current %> to 90% by <date>”. What is important with both examples is you have a specific action you want to measure, you have something to measure it against and you have a timeframe to show success. The above examples are measurements that would be collected and imported into a data portal or dashboard to be analyzed and monitored for trends.
Now let’s look at an example of how metrics can be used to provide insight into how well an organization’s security program is performing. A CISO may collect a metric to track the number of compromised desktops each month, but that in itself provides little value to the business. If that CISO had requested to invest part of their security budget in a new AV/EDR solution, how would he/she measure the value this solution provides the business and its effectiveness in reducing risk?
One way would be to estimate the cost of a compromised desktop. An infected desktop is removed, reimaged and the employee's data recovered from the previous night’s backup. This process is equivalent to five hours of labor from the IT technician and five hours of lost productivity from the affected employee. Combined, this costs the business $225 per infected desktop, and currently, the organization is averaging 45 infected assets per month which are equal to $10,125 per month or an annual cost to the business of $121,500 in lost productivity. With the new AV/EDR solution installed, the number of infected desktops per month is reduced by 60 percent over time. This reduction in the number of infected assets and the savings to the business in lost productivity is a metric the CISO can use to tell their story of the value the company receives from the recent investment in this new technology.
Security leaders will experience scrutiny from their organization on the services provided by the security program. To adequately answer these requests, make sure to balance the efficiency and effectiveness of the security controls continually, by understanding the metrics and data that is collected. Two helpful sources to assist in creating metrics come from SANS and the Center for Internet Security. Remember, metrics are an opportunity to tell a story about the value security professionals provide to the business and how a mature security program is a risk-reduction, business-enablement platform.