Measuring security performance may not sound like the most exciting exercise on the CISO’s agenda, but the right metrics can deliver significant value to security leaders and go a long way to helping them tackle a diverse set of challenges. The intersection of modern security and business means there are multiple metrics that CISOs can use to not only measure and improve the effectiveness of their security efforts but also demonstrate valuable strategic alignment with an organization, among numerous other benefits.
However, to get true value from any security performance metrics, it’s important that CISOs avoid drowning in metrics that lack meaning or context, focusing on those that show how security is enabling the business.
There are thousands of things that can be measured in terms of security performance, and it takes serious time, effort, and resources to extract those measurements and report on them, says Richard Absalom, principal research analyst at the Information Security Forum (ISF). “The important thing to always consider is: Why are we measuring this? How is this measurement helping? What is the question that it can help to answer? If the measurement does not help to answer something that the stakeholder/decision-maker needs to know, it is likely to be ignored.”
CISOs need business-relevant, risk-focused, and — most critically — evidenced-based metrics, Brian Contos, CSO at Sevco Security, tells CSO. “The highest priority areas that require metrics include business continuity, regulatory compliance, asset protection, operational efficiencies, and business mission enablement.”
Here are 10 benefits that the right security performance metrics can offer CISOs:
1. Objective decision-making
Incident response metrics — such as mean time to detect (MTTD) and mean time to respond (MTTR) — offer quantitative data that helps CISOs make objective decisions. “By tracking and analyzing key security indicators, CISOs can prioritize efforts, allocate resources, and focus on areas that need the most improvement,” says Frank Kim, fellow at the SANS Institute and lead of the Cybersecurity Leadership Curriculum.
2. Demonstrate ROI
Security investment metrics — such as the percentage of key business initiatives with embedded security processed — allow CISOs to demonstrate the return on investment (ROI) of security initiatives to executive leadership and stakeholders. This helps to justify budgets and investments by showing how these efforts contribute to risk reduction and incident prevention. “Regarding risk, it’s not cyber risk that stakeholders are concerned with; it’s the business risk from cyber,” Contos says. More specifically, it’s risks associated with revenue, brand, operations, and environmental, social, and governance, he adds.
3. Effective communication
Security awareness metrics — such as the percentage of business units with regular ambassador program engagement — help convey whether an organization is building a security-aware and risk-aware culture, providing “a common language for communicating security risks and improvements to non-technical stakeholders,” Kim says. CISOs can use metrics to explain the effectiveness of security measures and the overall security posture of the organization, something that has traditionally been a challenge for a lot of security leaders.
Bear in mind, CISOs that present very technical metric readouts to the board many times miss the mark as board members cannot contextualize them, says Fred Rica, partner at accounting and consulting firm BPM and former head of KPMG’s cyber practice “Telling the board you’ve blocked 100,00 events at the firewall is meaningless. Board members need to be asking (and CISOs need to be answering) three simple questions: What are we doing? Is it enough? How do we know?”
4. Risk assessment
Vulnerability management metrics — such as the window of exposure — help CISOs better understand an organization’s risk profile, and by monitoring trends and identifying potential vulnerabilities, they can proactively address security threats before they escalate.
“Ultimately, vulnerability management is about addressing the broken windows and unlocked doors of an enterprise, Kim says. “These metrics convey how long these doors are potentially open for and serve to roll up day-to-day operational activities like scanning coverage, time to analyze and prioritize, as well as time to patch,” he adds.
5. Continuous improvement
Security process improvement metrics — such as the percentage of incidents with the same repeat root cause — track progress over time, enabling CISOs to set specific goals. “This data-driven approach helps drive continuous improvement in security practices and fosters a culture of accountability,” Kim says. These risk-based metrics can then make their way into annual reports, corporate governance documents, and committee charters, as they should because security is strategic to the business, says Contos.
6. Benchmarking
Security maturity metrics — such as capability maturity scores — can be compared with industry benchmarks like the various Center for Internet Security (CIS) Benchmarks, or even past performance, to help CISOs understand how their organization fares in terms of security maturity. This information can guide the development of realistic security targets and strategies.
For the board, the five pillars of the NIST Cybersecurity Framework often seem to resonate, Absalom says. Security leaders should look for indicators and metrics that help to answer how well the organization:
- Identifies threats and assets at risk.
- Protects identified assets.
- Detects threat events.
- Responds to detected events.
- Recovers from incidents and limits their impact.
7. Regulatory compliance
As many regulations and standards require organizations to report on specific security metrics, having compliance metrics — such as the percentage of systems compliant with necessary standards or regulations — readily available makes it easier to meet compliance requirements, and avoid potential penalties, Kim says.
8. Early detection of issues
Threat detection metrics — such as the number of incidents detected by internal versus external entities or false positive/negative rates — can serve as early warning signs of potential security incidents or weaknesses in the security infrastructure. CISOs can proactively address these issues to prevent larger-scale breaches.
9. Resource optimization
Resource utilization metrics — such as the percentage of time spent on proactive versus reactive security tasks — can enable CISOs to identify areas of inefficiency or redundant security controls, leading to better resource allocation and cost optimization. This can prove crucial to helping security leaders manage the much-maligned cybersecurity skills shortage.
A recent report from the Department for Science, Innovation and Technology (DSIT) found that half of UK businesses are suffering from a basic cybersecurity skills gap, with a third battling more advanced skills shortages in relation to aspects of security such as forensic breach analysis, storing or transferring personal data, or detecting and removing malware.
10. Building trust
Security transparency metrics — such as the number of security incidents communicated to the business or feedback scores from internal stakeholders on security communication — can enhance the level of trust between the security team and other business units. When the effectiveness of security measures is quantified and communicated transparently, it boosts confidence in the security program, says Kim.