CISOs have multiple ways of quantifying the work they do, from counting the number of threats thwarted to the number of patches performed. Some of those metrics speak to the volume of work being performed, while others \u2013 such as mean time to detect and mean time to respond \u2013 offer insights into the effectiveness of the department\u2019s people, processes and technology.Although important, some security experts say they turn to other indicators to determine the overall strength of their cybersecurity department. They go beyond any single snapshot of how the security team is performing in a particular area and speak instead to overall performance within the enterprise.Here, CISOs and security advisers share what they consider signs of a great cybersecurity program.Unsolicited praiseVeteran security leader Mary Gardner considers unsolicited praise for security-related projects, particularly those that were initially met with resistance, a sincere recognition that the business values the security department\u2019s efforts.Gardner, now CISO at F5 Networks, had led a multifactor authentication initiative at a healthcare organization, where clinicians at first resisted the security measure because they feared it would slow down access to applications. But she and her security team met with workers and assured them that the initiative would deliver benefits. More importantly, the new security measure did just that. And when clinicians realized that multifactor authentication provided faster login than the prior process and allowed them mobile access to more applications, they volunteered their praise. \u201cI prefer that spontaneous feedback because that means we did something so well they felt the need to comment on it,\u201d Gardner explains.Help covering security costsThe security team\u2019s own budget will cover much of the security spend, particularly for core items like the firewall solution and the antivirus software. But security teams often advocate for additional investments tied to specific business initiatives only to find that their business colleagues balk at adding \u2014 let alone paying for \u2014 those extra security layers. Yet John Pescatore, director of emerging security trends at the SANS Institute, a cybersecurity training organization, says he has seen security teams effectively work with their business colleagues to demonstrate how security measures can enable their goals so much so that the business unit picks up the tab.For example, Pescatore says he has seen a marketing department pay for a recommended social media security solution and DevOps teams cover the cost of adding security tools into the early part of the development process because they understand that shortens the development cycle. \u201cWhen you see organizations make these steps forward, that\u2019s a sign of an advanced security program,\u201d he adds. \u201cA security team is successful when they\u2019re in demand and the business is willing to pay for the security measures; it means they see the benefit of them.\u201dProof of efficiencyCISOs are accustomed to collecting and presenting metrics such as mean time to detect as a way to measure the security department\u2019s effectiveness, but Pescatore says strong security programs are starting to measure efficiency as well. He says such metrics are modeled after the ones used by CIOs to quantify the efficiency of the IT team, such as IT spending as a percentage of organizational revenue.\u201cGood CIOs had to learn to do this,\u201d Pescatore says, adding that he\u2019s seeing security use measures such as SOC headcount per node, security headcount as a percentage of IT headcount, and average time to approve a security-related request as measures of efficiency. \u201cThe key is to get both more effective and more efficient,\u201d he explains. He says CISOs can look at improvements in such measures as an indication that security is doing a good job in enabling the business to move as fast as needed.Requests for adviceCISOs say they want to be viewed as trusted business partners, but Gardner knows she\u2019s hitting that mark when her colleagues approach her or her team members for advice. She points to an exchange at one of her previous employers as case in point: The developers there were troubled by the login mechanism on an application they were developing and turned to the security team for advice. \u201cIf they see something that\u2019s off and reach out to us to ask about it, that means they know who we are and they feel comfortable coming to us,\u201d she says. \u201cThey have trust in us, and they look to us to help them.\u201dGood relationships with board members, other executivesSimilarly, Gardner sees a positive relationship with board members and other executives as an indicator of a strong security program. \u201cWhen you\u2019re talking with the board and board members and the executive staff on a regular basis it means you\u2019re looked at as a trusted advisor,\u201d she says.In such circumstances, the CISO is doing more than just briefing the others; the CISO is bringing his or her perspectives, offering advice and helping craft strategy. \u201cThat goes for anyone in my organization, not necessarily just the CISO. When leadership knows who my team is, when they recognize the team, the more I know that I\u2019m nailing it,\u201d Gardner adds.High marks on maturity measuresSecurity leaders say scoring well against established security frameworks, such as the one from NIST and the ISO\/IEC 27001 IS standard, are signs of established, mature programs. Caleb Sima agrees. Sima, vice president of security at Databricks, developed a maturity model for his security function using industry standards including the NIST matrix. He built a grid to determine how mature his company\u2019s security program is and to track its improvements over time. \u201c[I can say,] \u2018Here\u2019s where we are; here\u2019s where we want to be in a year. This is how we identify if we have a good security structure and whether we are making progress,\u201d he says, noting that it helps him show not only his staff but the company executives and other employees how security is doing. \u201cIt\u2019s a very tactical, technology-driven approach.\u201dReports of positive user experienceSima says another marker of a successful security program is how well it meets user expectations and whether it provides a positive user experience. He surveys company employees to determine whether his security team is doing a good job, using three surveys for three different sets of users (product engineers, IT and the rest of the workforce). \u201cIf we\u2019re maturing our program and at the same time we have the right relationship feedback, those are then good indicators of a good program,\u201d he says.Third-party approvalsThe stamp of approval from outside agencies remains an important measure of success, says Matthew Ferrante, practice leader for cyber and information security services at Withum, a tech service provider. \u201cYou need a truly independent audit with a third-party firm, and that firm needs to be appropriately selected,\u201d he says, adding that the CISO should avoid those that provide \u201cfriendly results\u201d and instead go with only those offering a rigorous examination of security policies, processes, procedures and technologies.\u201cGetting a third-party view helps show that your security is aligned correctly and that it\u2019s working correctly,\u201d he says. Similarly, Bruce Beam, CIO at the security organization (ISC)2, says he seeks out certain certifications such as the PCI DDS that indicate a third-party has reviewed \u2013 and approved of \u2013 the job that the security team is doing. He also looks for those certifications in the companies with whom he\u2019s doing business before allowing them to connect to his organization\u2019s network.A positive ROIMichael Coden, managing director and global leader for the cybersecurity practice at BCG Platinion, part of Boston Consulting Group, says security teams who can measure and demonstrate a positive return on investment demonstrate that they have a strong enterprise program in place. He says an organization should see its risk decrease by a higher amount than the amount it\u2019s investing in security technologies, processes, procedures and training. \u201cSo if we spend $10 million implementing multifactor authentication or implementing a new training program and our risk is reduced by $1 billion, that\u2019s a pretty good ROI,\u201d he says, explaining that his firm uses an automated tool called Cyber Doppler to quantify risk that can then be used to calculate ROI.A pervasive security mindsetOnce, while leading a security team at a prior employer, Beam wanted to reward several staffers for doing a great job. He sent them each a $50 electronic gift card. But the staffers refused to click on the link, thinking it was a phishing attempt. In some ways, Beam says he shouldn\u2019t be surprised by their response, as it indicates that the company has a strong security culture. He says that\u2019s what he wants to see: security tightly woven into the corporate culture so that workers throughout all departments have a security-first mindset.