6 security metrics that matter – and 4 that don’t

The increasingly high stakes of getting security right and growing board interest means metrics are more important than ever. But there are some metrics that are more useful than others.

One of the most challenging executive tasks for CISOs is quantifying the success and the value of the cybersecurity function.

Indeed, security leaders and their organizations have used a myriad of metrics over the years. Yet, many executives and board members have complained that those measures failed to provide them with adequate insight or understanding of how well the security department is performing, how it’s improving, and where it’s falling short.

“Too much technical jargon is being presented to the chief executive and the board. CISOs are still telling the board about critical vulnerabilities and the number of patches, but the board doesn’t understand that because there’s not any proper context provided,” says Jarrett Kolthoff, president and CEO of security firm SpearTip.

He adds: “Those numbers might be great for the CISO, but the CISO needs to work [on developing metrics] that offer context so the board understands risk and how much investment in security is needed.”

Cybersecurity experts, including Kolthoff, said there’s no one metric that can work for all CISOs to demonstrate how well their security efforts are working and whether they’re improving over time. But there are some metrics, or the right combination of measures and narrative, that are more useful than others.

To continue reading this article register now

21 best free security tools to make your job easier