Security Performance Management

The Most Useful and Impactful Security Metrics Every CISO Should Have

Brian Thomas | April 17, 2020

Security leaders are increasingly making their cases through metrics. Data-driven measurement of cybersecurity performance can be used to justify spending, quantify risk, and more. 

But just how useful are the numbers that many security teams are gathering and presenting to leadership? Not very, reports Dark Reading. In a series of interviews, security experts weighed in on their least favorite metrics — and they had a lot to say. One expert claimed that metrics calculations are too complex and fail to provide context behind their conclusions. Another stated that most cybersecurity metrics are too focused on the use of a vague scale of low, medium, and high measurements for risk.

Let’s look at the metrics that are most useful and impactful to security leaders and the business at large.

Outcome-based metrics

Metrics should give leadership a quantifiable measurement of cyber risk in their organizations and the outcomes associated with taking certain actions to address that risk.

BitSight Security Ratings, for example, use externally observable and verifiable data to provide an instantaneous, point-in-time snapshot of an organization’s overall security posture. A security rating is built using an assessment of risk vectors such as software vulnerabilities, unpatched systems, and open ports — and a higher rating equates to a better overall security posture.

With a baseline understanding of an organization’s cyber risk, security teams can then leverage forecasting tools to model scenarios and identify opportunities to improve their overall security performance. By creating action plans and tracking progress over time, they can achieve a truly outcome-based approach to cyber risk reduction.

Context-based metrics

Traditional metrics can often be overwhelming. In the Dark Reading report, one security expert commented that some metrics are too focused on “shock and awe.” For example, a CISO may report that there are an eye-popping 12,000 unpatched vulnerabilities in an organization’s IT ecosystem. Yet that number lacks context or consideration for risk. Is the metric good or bad? Is it normal for an organization of that size or in that industry? Do those vulnerabilities congregate on one digital asset or are they scattered across multiple assets?  

To help security teams prioritize their efforts, security leaders need to give context to the numbers they report on.

This starts with gaining visibility into digital assets so they can be secured. To do this, teams must be able to quickly discover, assess, and report on areas of disproportionate risk — both on-premise and in the cloud — bringing much-needed context to their security postures.

They also need to determine an acceptable standard of care pertaining to cybersecurity as it relates to key factors, such as company size, industry, geography, etc. Likewise, businesses with subsidiaries or operations in multiple geographies can conduct similar analysis across their enterprises to pinpoint where the greatest cyber risk exists. In this way, they can monitor, manage, and report on their security programs in the same way that's expected of other departments and business units.

Metrics alone offer value but being able to say how a company’s security program performs compared to others in the industry and across highly dispersed organizations can help drive informed decisions within the security practice.

Indeed, benchmarking security performance in relation to peers and organization groups enables organizations to measure and identify gaps in their security programs; make informed, comparative decisions about where to focus cybersecurity efforts; demonstrate program improvements; and advocate for increased cybersecurity resources. 

Goal-driven metrics

Security leaders are under significant pressure to ensure that cybersecurity programs align with the objectives of the larger business. However, balancing the need to prevent cyber attacks with other business priorities can be tricky.

Nowhere is this more evident than in the onboarding of new vendors. These partners are essential to helping businesses grow and stay competitive, but they can also introduce unwanted cyber risk into the organization. To mitigate risk, they must be properly vetted in an efficient and consistent manner — but this can be hard when executives seek to accelerate onboarding processes to keep pace with business goals and realize value faster.

Risk metrics can help with this predicament. With a third-party cybersecurity risk management program that leverages security ratings, organizations can immediately shine a spotlight on cyber risk in prospective third, fourth, and nth parties. Security managers can then communicate that risk to business leaders in a clear and understandable way via a single metric, the security rating — thereby reducing the time it takes to make onboarding decisions. After the contract is signed, organizations can then monitor their vendors continuously, and receive alerts if any change in that party’s risk profile may require further investigation.

In this way, CISOs can turn third-party risk management from a roadblock into a business enabler. 

Using metrics to justify funding

Quantifying performance in terms of high, medium, and low grades is not accepted in any other part of the business to justify funding or growth, and the same should hold true for security leaders. Instead, security teams should leverage metrics that have a direct correlation to positive or negative outcomes. Security ratings, for example, correlate directly to an enhanced risk of data breaches. In fact, independent research found that companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.

Put into practice, security leaders can use their security ratings to justify funds for their security program. Instead of a vague scale, they now have concrete numbers. If their rating drops, due to an increase in unpatched systems or other vulnerabilities, they can link that lapse to an increased likelihood of a breach — and make a case for X amount of dollars to fix the problem and improve their security posture.

Make the case, with the right metrics

Measures of success in cybersecurity are rapidly changing. It’s no longer enough to say that adding the right tools, people, and processes equates to improved security. As threats evolve and the digital ecosystem grows, organizations must find ways to make a data-driven and outcomes-based case for the necessary actions (and sometimes investments) needed to close the gaps in their security program.

More than vanity measurements, they need useful metrics that make security performance understandable and accessible to executives and the board. Only then can they facilitate data-driven conversations around cyber risk in the context of the wider business and drive the right corrective actions.

cybersecurity kpi

Suggested Posts

How to Make More Informed, Data-Driven Security Decisions

Data can be the key to making more informed, strategic cybersecurity decisions — and ensuring you’re spending your security dollars effectively. In order to get the most out of your increasingly limited security resources and meet or...

READ MORE »

The Latest Cybersecurity Trends in State Government Entities

It should come as no surprise that the cybersecurity landscape has been changing dramatically throughout the year 2020. According to BitSight research, up to 85% of the workforce in some industries has shifted to remote work in response to...

READ MORE »

Driving Operational Efficiency in Your Remediation Process

Let’s face it: In order to get the most out of your limited time and resources, you need to rethink the traditional processes you have in place throughout your risk management program — from the initial discovery and assessment phases to...

READ MORE »

Subscribe to get security news and updates in your inbox.