Using security metrics to achieve cyber resilience (Part Two in the series)

In the first of this two-part series (you can read part one here), we considered emerging channels for cyber attacks, the importance of cyber resilience, and how taking a risk-based approach to cybersecurity gives you an edge over cybercriminals.

In this second part of the series, we look at:

• Cybersecurity metrics

• Emerging methodologies

• The evolving role of IT security leadership

(Cyber) security metrics matter

Cybersecurity threats are always evolving. Fortunately, so are the processes and technology used to address and measure them. To understand how your security functions over time, you need to track cybersecurity metrics. These metrics can also demonstrate if your sensitive information is being protected and can communicate how well you are aligned with and supporting the business, its mission and goals.

Putting these metrics in place makes it possible to regularly evaluate the effectiveness of the safety measures in which you have invested. Measurement also helps to demonstrate to the business how cybersecurity efforts are saving the organization money by preventing and/or containing costly cyberattacks. And, in some industries, measurement reporting is a fiduciary or regulatory duty - having a clear process in place saves time, money, and reduces anxiety for those whose job it is to protect your data and systems.

Which cybersecurity metrics should you choose?

There is no single rule for choosing how to track or measure cybersecurity. Every company quantifies and assesses risk in its own way based on situational variables, such as: 

• Required protocols and certifications

• Company culture

• Industry

• Business model

• Global region

• Budget variances

• Individual personalities 

The risk-based approach to cybersecurity is customizable and enables you to tailor cybersecurity programs to specific requirements and operational vulnerabilities that are unique to your needs.

Examples of useful metrics to track include:

• Vulnerability management – how many devices on your network are fully patched?

• Unidentified devices on internal networks – are employees unknowingly introducing malware?

• Security incidents – simply tracking numbers doesn’t add much value; however, trending over time can provide insights to your program’s effectiveness and areas that may need more attention. Significant or unique events should communicated, as well.  

• Time to detect, resolve and contain – how long does it take to complete each critical phase?

From a business perspective, also consider communicating:

• How many deals you helped close or enabled.

• Ongoing or completed projects that enabled/supported key business initiatives.

Another related benefit to the risk-based approach involves how it separately measures both the risk reduction efforts you have made and the actual reduction in risk. Traditional practices measure collective effectiveness based on program completion. Although a single metric, measuring this way doesn't tell the entire story of your effort – or your risk.

Too often, we make decisions based on conflicting metrics. By clearly linking efforts or action taken to actual risk reduction, we can make business decisions that weigh impact more effectively. This provides the flexibility to adjust for risk reduction at any level, wherever risk exists.

Regardless of the metric, it has to be meaningful to the person or group to whom its being presented. Additionally, you should consider that you may have different tiers of metrics depending on the audience. More technical detailed metrics may be needed for some audiences and, in other cases, higher level summary metrics may be appropriate.

The evolving role of IT security leadership

Today a company’s most senior security resource is commonly involved in both quarterly and annual planning, inputs and results. Conversely, the organization's full executive leadership team is aware of cyber threats and vulnerabilities and invested in the decision-making, buying processes and prevention plans that inform its entire cybersecurity ecosystem—not just the CIO or CSO.

While having more stakeholders in the mix may sound counterintuitive to agility and efficiency, you'll realize many benefits to having the full team’s involvement. It provides alignment among departments and team members all driving toward the same goal—reducing risk.

This trend will continue as security planning continues to move from the back office to the front and security leaders become trusted advisors and partners to the business. 

Action to take for cyber security success

If an approach to cybersecurity is informed by fear, uncertainty and doubt, its runway for success will be short; stakeholders will lose their patience; and faith and trust will be lost. To stay vigilant, you must:

• know and address existing and emerging channels for cyberattack;

• familiarize yourself with security metrics and determine which ones are most meaningful to you; 

• employ a risk-based approach to address the most high-risk vulnerabilities; 

• educate your whole company about cybersecurity; 

• and give IT security a seat at the table. 

To tackle the most impactful risks to your business, you must move beyond compliance and prioritize your highest threats. This comprehensive approach offers the greatest cyber resilience and ultimately, it will pay big dividends.