Analytics & Intelligence CISO Suite Cybersecurity Governance, Risk & Compliance Industry Spotlight Security Awareness Security Boulevard (Original) 

3 Metrics to Gauge Cybersecurity Program Health

Avatar photo by Colin O'Connor on August 12, 2021

Imagine the United Nations General Assembly with no translators—and people speaking dozens of different languages. That’s what it can be like when security teams share metrics and data with their organization’s board of directors.

The communications gap leaves many CISOs struggling to explain the value of security investments—and if security professionals can’t communicate that value, they run the risk of falling out of sync with business priorities, managing misaligned expectations or giving leaders a false sense of confidence about security readiness.

The good news is when it comes to cybersecurity, boards recognize the importance of engaging on cybersecurity issues and are becoming more sophisticated on the topic. According to Gartner, by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today. But there continues to be a gap between the day-to-day metrics of a security program and the board priorities.

Lost in Translation

Fortunately, there are metrics that make sense and matter to both teams, so everyone can speak the same language—no translators needed. These metrics produce insights that boards and security teams can act on together while taking into account people, processes, and technology.

At their core, boards approve the strategic direction of an organization as well as how the organization allocates resources and mitigates risk. Security leaders have to present metrics that align with business objectives to make an impact at the board level. Here’s why many security metrics often fall short of this goal:

  • Metrics such as the number of daily phishing alerts don’t provide context—that is, they don’t inform CISOs if the numbers are good news or bad news. If metrics don’t point to next steps such as changing processes, better configuration of products or identifying opportunities for automation, the path to action is unclear.
  • Metrics often illustrate how tools are being used, not the results they yield and what those actually mean. Metrics based on tools are considered the low-hanging fruit of the security world—they’re easily available, but they don’t help solve problems.
  • Often, organizations don’t address people, processes and technology—three key pillars necessary to construct a big-picture view of how a company’s security model is performing.

While these are metrics to avoid, there’s are different metrics that matter to leadership and are understandable to many more stakeholders—not just the security team. These metrics focus on the effectiveness of resources being deployed (i.e. the security program tools and people) as well as ensuring you have the proper visibility to mitigate risk.

Tool efficacy

Board members and security professionals need to know if security investments are paying off. To find out if current tools are working, measure factors like the number of issues that teams experienced when using those tools, the number of outages or inactive services and the number of vendor support tickets. Also, track how thoroughly each tool’s features and functionality are being integrated—a good measure of tool ROI.

Visibility

Calculate how many systems in total are supporting the enterprise and how many of those systems collect and analyze logs. Do the same math for every environment. For example, if there are multiple cloud environments, is there the same range of visibility into these environments as on-premises data centers? Then, decide if a sufficient amount of data is being collected from these systems to align to the applicable industry frameworks (such as NIST, CSF, and MITRE) that can assess resulting threat detection and response capabilities.

Team Productivity

Consider what teams spend their time doing, like dealing with false positives—which can lead to alert fatigue—or troubleshooting and administering tools and how fast they generally respond to issues in the context of these distractions (using mean time to respond, or MTTR). By pulling together various team metrics, organizations can understand if they are properly staffed or if a team needs more training. As focus shifts to metrics that provide context along with numbers, organizations can also consider seeking out metrics from partners or research houses—especially if this means finding peer or industry benchmarking statistics against which to measure a team’s performance. This is a challenging category to measure, of course—but since it’s the “people” pillar, it’s very important.

Metrics that measure tool efficacy, visibility and team performance are also important to track over time to garner information on trends—another key requirement for giving context to metrics. Ideally, organizations should demonstrate how each investment in people, processes, and technology improved the security program and reduced enterprise risk. If such metrics can be shared, communication gaps will begin to disappear and everyone will speak the same business language—ensuring an organization’s security program is aligned to the business objectives and that the organization can focus on their core mission.

Colin O'Connor , , ,
Avatar photo

Colin O'Connor

Colin O’Connor is the Chief Operating Officer for ReliaQuest, one of the fastest-growing companies in the global cybersecurity industry. Over the past 11 years with ReliaQuest, he has played a key role in nearly every area of the company, helping to architect and enhance ReliaQuest’s solutions for its customer base of Fortune 1000 companies. He is an active member of the technology and information security community and has held roles with the Tampa Bay Technology Forum, ISSA, BSides, and InfraGard.

colin-oconnor has 1 posts and counting.See all posts by colin-oconnor