Organizations’ InfoSec spending is expected to increase through the second half of 2021 and into 2022. In May of this year, Gartner wrote that worldwide spending on information security and risk management capabilities would specifically increase 12.4% and reach $150.4 billion by the end of the year. This translated into an IT security budget of over $100 million for 34% of organizations, according to a ReliaQuest study conducted by the Ponemon Institute.
However, organizations don’t always have the means to use those budgets effectively. The problem oftentimes traces back to a lack of understanding of and a lack of strategic thinking about enterprise information security. Indeed, our report revealed that only 37% of security leaders are tracking the metrics that they need to communicate risk easily and accurately to their organization’s business executives and Board. It’s therefore no surprise that an even smaller proportion (31%) of respondents said that their senior leadership and the Board were tracking cybersecurity risk as a business risk.
Cybersecurity Metrics That Help Frame InfoSec as a Business Risk
Security leaders aren’t satisfied with the state of things depicted above. On the contrary, our report uncovered that most respondents are committed to developing a stronger risk-based security posture. This involves using metrics that matter to better align security initiatives, track progress over time, and make improvements.
Key Security Metric #1: Visibility
Organizations can’t be efficient with incident response without the proper level of visibility over their environment. Organizations need comprehensive visibility into 100% of what’s going on in their systems, regardless of whether they are on-premises or in the cloud. This critical metric tells them where they lack coverage from a data perspective and is directly tied to the level of detection that can be performed.
Key Security Metric #2: Team Performance
How teams are performing extends beyond just Mean Time to Resolution (MTTR). In fact, there are much more fundamental questions at stake that CISOs need to answer. For instance, “Where are their teams spending their time?” If they’re spending a sizable portion of their time collecting data to perform investigations, then these security leaders can focus on how to shorten the time it takes to do this activity.
Along those same lines, here’s another fundamental questions CISOs should have the answer to: “How well do the teams understand their environment?” CISOs need to ensure that their security teams are working efficiently. They can do this using two supplemental metrics: anomalous safe rate and true positive rate. The former covers anomalous activity that appears safe but comes across as malicious in the general context. This indicator helps to tune the fidelity of alerts coming in, thus further reducing the noise. True positives are indicators of real threats that need attention.
Key Security Metric #3: MITRE ATT&CK mapping
While log source coverage is important for visibility, detection coverage helps you gauge how well you are protected against industry standard stages of an attack cycle.
By mapping against industry frameworks like MITRE ATT&CK® or the Kill Chain, you can determine whether you have the controls you need to get critical visibility into the types of threats that are of concern to the business. From there, you can map your use cases across your major detection controls (SIEM, EDR, UEBA) to these industry frameworks to understand the types of attack techniques into which you have visibility. You can see progress against your program goals and identify gaps in real-time and focus your efforts to decrease risk.
Deliver Board-Ready Cybersecurity Metrics with ReliaQuest’s Security Model Index
As the discussion above helps to illustrate, most metrics we tend to hear about don’t ultimately work for organizations’ security programs because they don’t frame security in terms that are actionable and business-ready.
That’s where ReliaQuest comes in. To help bridge the security/business divide, ReliaQuest developed the Security Model Index to give CISOs and security leaders a way of easily reporting on visibility and team performance. Those individuals can specifically use the Security Model Index to quantify their visibility and understanding of their risk footprint over time so that they can close any gaps. Simultaneously, they can examine their teams’ activities to document time savings. All while benchmarking their metrics against their own performance in previous quarters and the performance of their peers. And importantly, operationalizing the MITRE ATT&CK framework helps teams understand gaps in coverage and helps prioritize investments and actions.
ReliaQuest designed the Security Model Index to work with organizations on an ongoing basis. One-and-done transactions don’t help when there’s a threat landscape that’s constantly evolving. In contrast to other vendors, ReliaQuest uses the Security Model Index, GreyMatter, and its other solutions to commit to the maturity of its customers’ security programs so that they can help them to continuously maximize their ROI and advance their vision.