Editor’s note: We’ve published a new list of board-ready security metrics for 2022.
Imagine the United Nations General Assembly with no translators – and people speaking dozens of different languages. That’s what it can be like when security teams and board members share metrics and data. The communications gap leaves many CISOs struggling to explain the value of security investments – and if you can’t communicate that value, you run the risk of falling out of sync with business priorities, managing misaligned expectations, or giving leaders a false sense of confidence about security readiness.
Odds are high that, in today’s uncertain environment, your board will come to you even more often with questions about sensitive data, risk levels, risk reduction, and security investments. According to Gartner, by the end of 2020, 100% of large enterprises will be asked to report to their boards on cybersecurity and technology risk, up from 40% in 2018. The good news is that there are metrics that make sense and matter to both teams, so everyone can speak the same language – no translators needed. These metrics produce insights that boards and security teams can act on together, while taking into account people, processes, and technology.
Why traditional metrics cause communications gaps
Metrics have to align with business objectives if they’re going to make sense to boards. Here’s why metrics often fall short of this goal:
They’re not actionable. Metrics such as the number of daily phishing alerts don’t provide context – that is, telling CISOs if the numbers are good news or bad news. If metrics don’t point to next steps such as changing processes, better configuring products, or identifying opportunities for automation, the path to action is unclear.
They’re centered on tools. Metrics often illustrate how tools are being used, not the results they yield and what those actually mean. Metrics based on tools are considered the low-hanging fruit of the security world: They’re easily available, but they don’t help you solve problems.
They don’t address people, processes, and technology. You need to factor in these three key pillars if you want the big picture on how your security model is performing.
The 3 security metrics that matter to boards
Now that you know which metrics to avoid, here’s a rundown on metrics that matter to leadership and are understandable to many stakeholders – not just the security team.
Calculate how many systems you have supporting the enterprise, versus how many systems from which you collect and analyze logs. Do the same math for every environment. For example, if you have multiple cloud environments, do you have the same visibility into them as you do for on-premise data centers? Then, decide if you are collecting sufficient data from these systems to align to the industry frameworks (such as NIST, CSF, and MITRE) that can assess resulting threat detection and response capabilities.
2. Tool efficacy
You and your board need to know if security investments are paying off. To find out if current tools are working, measure factors like the number of issues that teams experience with tools, the number of outages or inactive services, and the number of vendor tickets. You can also track how thoroughly you’re integrating each tool’s features and functionality – a good measure of tool ROI.
3. Team performance
This is a challenging category to measure – but since it’s the “people” pillar, it’s very important. Consider what teams spend their time doing, like dealing with false positives or troubleshooting and administering tools, and how fast they generally respond to issues in context of these distractions (using mean time to respond, or MTTR). By pulling together various team metrics, you understand if you’re properly staffed, or if your team needs more training.
As you shift your focus to metrics that provide context along with numbers, consider searching out metrics from partners or research houses – especially if you can find peer or industry benchmarking starts against which you can measure your team’s performance. Everyone wants to know if they’re the slowest gazelle, or the fastest.
Showing trends over time is another important requirement for giving context to metrics. Ideally, you should demonstrate how each investment in people, processes, and technology improved the security program and reduced enterprise risk. If you can share such metrics, your communications gaps will begin to disappear, you’ll all speak the same business language, and you’ll work towards maturing your security program.