The new math of cybersecurity value

An increasing number of CISOs are devising a new set of metrics to show how they’re impacting risk at their organizations.

One person uses a calculator while another reviews financial data.
wutzkohphoto / Shutterstock

Jenai Marinkovic doesn’t put much stock into figures that show how many attacks she and her security team have stopped.

Those numbers, she says, really don’t provide any insights.

“Saying we blocked a million doesn’t tell us anything. It doesn’t communicate enough to other executives,” says Marinkovic, who provides virtual CISO services through Tiro Security and serves on the Emerging Trends Working Group with the IT governance association ISACA.

Marinkovic says CISOs instead need to find metrics that provide actionable information that they and the other enterprise leaders can then use to make decisions.

“They should be figures that help the business,” she says, adding that CISOs need to calculate how much they’re impacting the business, how much they’re getting for returns on their investments, and whether and by what degree they’re improving their security posture.

To continue reading this article register now

Microsoft's very bad year for security: A timeline