Cybersecurity performance management platform SeeMetrics has announced the launch of Security Performance Boards to help CISOs measure the cybersecurity effectiveness of technologies, processes, and people. The boards draw cybersecurity performance assessment from an organization\u2019s operational stack, providing a centralized, business-aligned view of measurements, metrics, and key performance indicators (KPIs) to support a proactive and preventative approach to detecting emerging risks and gaps, the firm said in a press release. Among SeeMetrics\u2019 Security Performance Boards are vulnerability management, endpoint protection, identity management, email security, security awareness, and incident response, it added.\n\nMetrics can be of significant value to CISOs and their organizations in gauging and improving their security posture, pinpointing areas of strength and weakness. They can also be useful when presenting to corporate boards, providing security leaders data-driven, quantifiable evidence to explain the value of security programs as well as support requests for things like increased security budget and resources. \u201cSecurity performance metrics are invaluable tools to assess, communicate, and improve the security posture of organizations,\u201d Frank Kim, fellow at the SANS Institute and lead of the Cybersecurity Leadership Curriculum, tells CSO. \u201cLeveraging these metrics empowers the CISO to make data-driven decisions, strengthen security measures, and align security efforts with overall business goals.\u201d\n\nMost CISOs lack centralized security performance measurement method\n\nThe majority of CISOs are required to prove the value of their security programs and tool stack, expected to quickly answer questions around performance, progress, and budget, SeeMetrics said. Adding to the complexity is the increasing size of their security stack, with the average global organization has more than 29 security solutions in place.\n\nWhereas other C-suite leaders such as those of finance, sales, and marketing use integrated data platforms such as CRM and ERP, most CISOs have yet to adopt a centralized tool that streamlines data points from dozens of operational security tools into an executive view, potentially leaving with without the ability to instantly know the state of their operations and how that impacts the overall performance, according to SeeMetrics.\n\nMetric boards provide \u201cbird\u2019s eye view\u201d of security capabilities, tools\n\nSeeMetrics\u2019 new boards are therefore designed provide a bird\u2019s eye view of overall capabilities and security tools, with each board drilling down into data that is trackable back to its source, the firm said.\n\n \n\nThe boards can be used to answer questions such as \u201cHow are my policies trending? How well are we performing compared to last quarter? How is our MTTR trending in the US versus Europe?\u201d according to Shirley Salzman, CEO and co-founder of SeeMetrics.\n\n\u201cSecurity measurements are essential to helping us understand how well our tools, and therefore how our security programs, are performing,\u201d says Sounil Yu, author of Cyber Defense Matrix. \u201cSeeMetrics\u2019 introduction of Security Performance Boards is an exciting milestone in the evolution of cybersecurity metrics, giving us security leaders a practical, tangible, and insightful way to really understand with confidence how our stack is performing in real time and on a continuous basis.\u201d\n\nMost CISOs are \u201cdrowning in metrics\u201d\n\nMost CISOs are drowning in metrics. However, many of them lack meaning or context relevant to the business, Fred Rica, partner at BPM and former head of KPMG\u2019s cyber practice, tells CSO. \u201cThey don\u2019t generally support or align with business objectives; they don\u2019t support how cyber is enabling the business.\u201d\n\nBoard members need to be asking (and CISOs need to be answering) three simple questions, Rica adds. These are: What are we doing? Is it enough? How do we know? \u201cIn order to answer these questions and have effective board level metrics that have meaning and context, we first need a cyber program \u2013 a program that is based on a standard, that reflects the risk tolerance of the organization, that identifies and focuses effort on the most import assets, that understands and accepts any residual risk, and is focused on defending against the most likely attackers and highest risk events.\u201d\n\nWith the CISO being a strategic position aligned with the business mission, metrics generated by security must be evidence-based and data-driven like other strategic business units, says Brian Contos, CSO at Sevco Security. \u201cCISOs are a strategic part of the business. To measure any strategic business unit\u2019s operational efficiencies and effectiveness, metrics are required. Metrics from the CISO must be accurate and timely, align with business priorities, address the risks the organization is most concerned with, and be predicated on evidence,\u201d he adds.\n\nA CISO that generates these metrics illustrates their team\u2019s value to the business and enables the organization to make more informed decisions, mitigate business risks, and capitalize on opportunities, Contos says.