Security leaders are increasingly making their cases through metrics. Data-driven measurement of cybersecurity performance can be used to justify spending, quantify risk, and more.
But just how useful are the numbers that many security teams are gathering and presenting to leadership? Not very, reportsDark Reading. In a series of interviews, security experts weighed in on their least favorite metrics — and they had a lot to say. One expert claimed that metrics calculations are too complex and fail to provide context behind their conclusions. Another stated that most cybersecurity metrics are too focused on the use of a vague scale of low, medium, and high measurements for risk.
Let’s look at the metrics that are most useful and impactful to security leaders and the business at large.
Metrics should give leadership a quantifiable measurement of cyber risk in their organizations and the outcomes associated with taking certain actions to address that risk.
BitSight Security Ratings, for example, use externally observable and verifiable data to provide an instantaneous, point-in-time snapshot of an organization’s overall cybersecurity posture. A security rating is built using an assessment of risk vectors such as software vulnerabilities, unpatched systems, and open ports — and a higher rating equates to a better overall security posture.
With a baseline understanding of an organization’s cyber risk, security teams can then leverage forecasting tools to model scenarios and identify opportunities to improve their overall security performance. By creating action plans and tracking progress over time, they can achieve a truly outcome-based approach to cyber risk reduction.
Traditional metrics can often be overwhelming. In the Dark Reading report, one security expert commented that some metrics are too focused on “shock and awe.” For example, a CISO may report that there are an eye-popping 12,000 unpatched vulnerabilities in an organization’s IT ecosystem. Yet that number lacks context or consideration for risk. Is the metric good or bad? Is it normal for an organization of that size or in that industry? Do those vulnerabilities congregate on one digital asset or are they scattered across multiple assets?
To help security teams prioritize their efforts, security leaders need to give context to the numbers they report on.
They also need to determine an acceptable standard of care pertaining to cybersecurity as it relates to key factors, such as company size, industry, geography, etc. Likewise, businesses with subsidiaries or operations in multiple geographies can conduct similar analysis across their enterprises to pinpoint where the greatest cyber risk exists. In this way, they can monitor, manage, and report on their security programs in the same way that's expected of other departments and business units.
Metrics alone offer value but being able to say how a company’s security program performs compared to others in the industry and across highly dispersed organizations can help drive informed decisions within the security practice.
Indeed, benchmarking security performance in relation to peers and organization groups enables organizations to measure and identify gaps in their security programs; make informed, comparative decisions about where to focus cybersecurity efforts; demonstrate program improvements; and advocate for increased cybersecurity resources.
Security leaders are under significant pressure to ensure that cybersecurity programs align with the objectives of the larger business. However, balancing the need to prevent cyber attacks with other business priorities can be tricky.
Nowhere is this more evident than in the onboarding of new vendors. These partners are essential to helping businesses grow and stay competitive, but they can also introduce unwanted cyber risk into the organization. To mitigate risk, they must be properly vetted in an efficient and consistent manner — but this can be hard when executives seek to accelerate onboarding processes to keep pace with business goals and realize value faster.
Risk metrics can help with this predicament. With a third-party cybersecurity risk management program that leverages security ratings, organizations can immediately shine a spotlight on cyber risk in prospective third, fourth, and nth parties. Security managers can then communicate that risk to business leaders in a clear and understandable way via a single metric, the security rating — thereby reducing the time it takes to make onboarding decisions. After the contract is signed, organizations can then monitor their vendors continuously, and receive alerts if any change in that party’s risk profile may require further investigation.
In this way, CISOs can turn third-party risk management from a roadblock into a business enabler.
Using metrics to justify funding
Quantifying performance in terms of high, medium, and low grades is not accepted in any other part of the business to justify funding or growth, and the same should hold true for security leaders. Instead, security teams should leverage metrics that have a direct correlation to positive or negative outcomes. Security ratings, for example, correlate directly to an enhanced risk of data breaches. In fact, independent research found that companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
Put into practice, security leaders can use their security ratings to justify funds for their security program. Instead of a vague scale, they now have concrete numbers. If their rating drops, due to an increase in unpatched systems or other vulnerabilities, they can link that lapse to an increased likelihood of a breach — and make a case for X amount of dollars to fix the problem and improve their security posture.
Make the case, with the right metrics
Measures of success in cybersecurity are rapidly changing. It’s no longer enough to say that adding the right tools, people, and processes equates to improved security. As threats evolve and the digital ecosystem grows, organizations must find ways to make a data-driven and outcomes-based case for the necessary actions (and sometimes investments) needed to close the gaps in their security program.
More than vanity measurements, organizations need useful information security metrics like outcome, context, and goal-based ones that make security performance understandable and accessible to executives and the board. Only then can they facilitate data-driven conversations around cyber risk in the context of the wider business and drive the right corrective actions.
There’s no question about it: Being exposed to cyber risk is an inevitable part of doing business in today’s world. In fact, a recent ESG study found that 82% of organizations believe that cyber risk has increased over the past two years.
Your IT department spends a great deal of time distributing security information and maintaining your organization’s internal security processes. Unfortunately, a persistent threat, deemed shadow IT, is still making its way into your...
It’s every security manager's worst nightmare. A member of the IT department reaches to alert that malicious software has been detected on an internal network, and the hacker potentially has access to layers of sensitive data. In the...