Attending Black Hat USA this year? Visit us in booth #1747 and begin to realize more value out of your existing security tools.
security metrics

3 Security Metrics that Matter Most to Boards

Updated June 2021

Imagine the United Nations General Assembly with no translators – and people speaking dozens of different languages. That’s what it can be like when security teams and board members share metrics and data. The communications gap leaves many CISOs struggling to explain the value of security investments – and if you can’t communicate that value, you run the risk of falling out of sync with business priorities, managing misaligned expectations, or giving leaders a false sense of confidence about security readiness.

Odds are high that, in today’s uncertain environment, your board will come to you even more often with questions about sensitive data, risk levels, risk reduction, and security investments. According to Gartner, by the end of 2020, 100% of large enterprises will be asked to report to their boards on cybersecurity and technology risk, up from 40% in 2018. The good news is that there are metrics that make sense and matter to both teams, so everyone can speak the same language – no translators needed. These metrics produce insights that boards and security teams can act on together, while taking into account people, processes, and technology.

Why traditional metrics cause communications gaps

Metrics have to align with business objectives if they’re going to make sense to boards. Here’s why metrics often fall short of this goal:

They’re not actionable. Metrics such as the number of daily phishing alerts don’t provide context – that is, telling CISOs if the numbers are good news or bad news. If metrics don’t point to next steps such as changing processes, better configuring products, or identifying opportunities for automation, the path to action is unclear.

They’re centered on tools. Metrics often illustrate how tools are being used, not the results they yield and what those actually mean. Metrics based on tools are considered the low-hanging fruit of the security world: They’re easily available, but they don’t help you solve problems.

They don’t address people, processes, and technology. You need to factor in these three key pillars if you want the big picture on how your security model is performing.

The 3 security metrics that matter to boards

Now that you know which metrics to avoid, here’s a rundown on metrics that matter to leadership and are understandable to many stakeholders – not just the security team.

1. Visibility

Calculate how many systems you have supporting the enterprise, versus how many systems from which you collect and analyze logs. Do the same math for every environment. For example, if you have multiple cloud environments, do you have the same visibility into them as you do for on-premise data centers? Then, decide if you are collecting sufficient data from these systems to align to the industry frameworks (such as NIST, CSF, and MITRE) that can assess resulting threat detection and response capabilities.

2. Tool efficacy

You and your board need to know if security investments are paying off. To find out if current tools are working, measure factors like the number of issues that teams experience with tools, the number of outages or inactive services, and the number of vendor tickets. You can also track how thoroughly you’re integrating each tool’s features and functionality – a good measure of tool ROI.

3. Team performance

This is a challenging category to measure – but since it’s the “people” pillar, it’s very important. Consider what teams spend their time doing, like dealing with false positives or troubleshooting and administering tools, and how fast they generally respond to issues in context of these distractions (using mean time to respond, or MTTR). By pulling together various team metrics, you understand if you’re properly staffed, or if your team needs more training.

As you shift your focus to metrics that provide context along with numbers, consider searching out metrics from partners or research houses – especially if you can find peer or industry benchmarking starts against which you can measure your team’s performance. Everyone wants to know if they’re the slowest gazelle, or the fastest.

Showing trends over time is another important requirement for giving context to metrics. Ideally, you should demonstrate how each investment in people, processes, and technology improved the security program and reduced enterprise risk. If you can share such metrics, your communications gaps will begin to disappear, you’ll all speak the same business language, and you’ll work towards maturing your security program.

Looking for more information on security metrics that matter to boards?

View the CISO’s Guide to Metrics that Matter in 2020.

More Articles

CISOs, Are You Prepared to Answer These Questions in Your Next Board Meeting?

One of the greatest challenges in maturing security programs stems from difficulty showing ROI on your security investments and communicating your security posture and effectiveness in a way that makes sense at the board-level. If you start talking about the number of events per second, firewalls blocked, or MTTR, eyes will start to glaze over […]

Three Tips on Measuring and Communicating Risk in a Changing Threat Landscape

Amid the current economic and operational volatility, the need for properly measuring and communicating risk has increased. Security leaders are finding themselves in the spotlight more now than ever before, faced with questions and concerns about risk and the security of their organization. What new security metrics can be used to demonstrate an organization is […]

How to Get the Most out of Your Security Monitoring with the Cyber Kill Chain Model

Updated June 2021 In our personal lives, many of us try to get the most out of a tank of gasoline – waiting until the red indicator shines bright and we finally have to stop at a gas station to fill our tank. This mindset extends to many aspects of our lives, both personally and […]