One of the most daunting problems in cybersecurity has always been security metrics. In business, practically nothing matters in the absence of the ability to measure actionable results. Profit and loss are the drivers of all businesses. Even non-profit based businesses use metrics to plot their mission and meet their goals.

The problem with security metrics is that most times, they are not measured in what was achieved but rather what was prevented. Often, prevention is unverifiable. Can you measure how many burglaries were averted because you locked your front door? Modern technology has changed this. For example, prior to the invention of the doorbell camera, home burglary prevention was mostly unverifiable. One could only estimate the number of times that someone may have attempted to commit a burglary via an unlocked door. This was based on a sampling of similar successful burglaries in a particular area over a specific time period.  

Prior to new cybersecurity technologies, a security professional could only estimate how many cyberattacks were prevented based on similar successful attacks across the entire cyber-landscape. This was often met with copious eye-rolling by skeptical C-level executives who could effectively argue that their company was not in the same industry as the recent targets or more myopically that their company was not an “attractive target.”

Key Challenges of Measuring Meaningful Metrics

Even with the development of new cybersecurity tools, measuring an organization’s cybersecurity readiness has still been difficult. Some of the key challenges include the ability to capture all the meaningful data, represent that data in an efficient manner so it can be consumed, accurately analyze that data, and use the analysis to evaluate the overall cybersecurity posture of the organization. Sometimes, the multiplicity of tools creates its own problems of too many data sources to make (Read more...)