SeeMetrics launches Security Performance Boards to help CISOs measure cybersecurity effectiveness

Cybersecurity performance management platform SeeMetrics has announced the launch of Security Performance Boards to help CISOs measure the cybersecurity effectiveness of technologies, processes, and people. The boards draw cybersecurity performance assessment from an organization's operational stack, providing a centralized, business-aligned view of measurements, metrics, and key performance indicators (KPIs) to support a proactive and preventative approach to detecting emerging risks and gaps, the firm said in a press release. Among SeeMetrics' Security Performance Boards are vulnerability management, endpoint protection, identity management, email security, security awareness, and incident response, it added.

Metrics can be of significant value to CISOs and their organizations in gauging and improving their security posture, pinpointing areas of strength and weakness. They can also be useful when presenting to corporate boards, providing security leaders data-driven, quantifiable evidence to explain the value of security programs as well as support requests for things like increased security budget and resources. "Security performance metrics are invaluable tools to assess, communicate, and improve the security posture of organizations," Frank Kim, fellow at the SANS Institute and lead of the Cybersecurity Leadership Curriculum, tells CSO. "Leveraging these metrics empowers the CISO to make data-driven decisions, strengthen security measures, and align security efforts with overall business goals."

Most CISOs lack centralized security performance measurement method

The majority of CISOs are required to prove the value of their security programs and tool stack, expected to quickly answer questions around performance, progress, and budget, SeeMetrics said. Adding to the complexity is the increasing size of their security stack, with the average global organization has more than 29 security solutions in place.

Whereas other C-suite leaders such as those of finance, sales, and marketing use integrated data platforms such as CRM and ERP, most CISOs have yet to adopt a centralized tool that streamlines data points from dozens of operational security tools into an executive view, potentially leaving with without the ability to instantly know the state of their operations and how that impacts the overall performance, according to SeeMetrics.

Metric boards provide "bird's eye view" of security capabilities, tools

SeeMetrics' new boards are therefore designed provide a bird's eye view of overall capabilities and security tools, with each board drilling down into data that is trackable back to its source, the firm said.

The boards can be used to answer questions such as "How are my policies trending? How well are we performing compared to last quarter? How is our MTTR trending in the US versus Europe?" according to Shirley Salzman, CEO and co-founder of SeeMetrics.

"Security measurements are essential to helping us understand how well our tools, and therefore how our security programs, are performing," says Sounil Yu, author of Cyber Defense Matrix. "SeeMetrics' introduction of Security Performance Boards is an exciting milestone in the evolution of cybersecurity metrics, giving us security leaders a practical, tangible, and insightful way to really understand with confidence how our stack is performing in real time and on a continuous basis."

Most CISOs are "drowning in metrics"

Most CISOs are drowning in metrics. However, many of them lack meaning or context relevant to the business, Fred Rica, partner at BPM and former head of KPMG's cyber practice, tells CSO. "They don't generally support or align with business objectives; they don't support how cyber is enabling the business."

Board members need to be asking (and CISOs need to be answering) three simple questions, Rica adds. These are: What are we doing? Is it enough? How do we know? "In order to answer these questions and have effective board level metrics that have meaning and context, we first need a cyber program - a program that is based on a standard, that reflects the risk tolerance of the organization, that identifies and focuses effort on the most import assets, that understands and accepts any residual risk, and is focused on defending against the most likely attackers and highest risk events."

With the CISO being a strategic position aligned with the business mission, metrics generated by security must be evidence-based and data-driven like other strategic business units, says Brian Contos, CSO at Sevco Security. "CISOs are a strategic part of the business. To measure any strategic business unit's operational efficiencies and effectiveness, metrics are required. Metrics from the CISO must be accurate and timely, align with business priorities, address the risks the organization is most concerned with, and be predicated on evidence," he adds.

A CISO that generates these metrics illustrates their team's value to the business and enables the organization to make more informed decisions, mitigate business risks, and capitalize on opportunities, Contos says.