We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organizations focused on the information that matters. But with so many data points available to measure security, it is difficult to know where to begin. Security practitioners must constantly question what data they collect and why. Only by providing relevant measures can we understand how security impacts the business and enables strategic transformation.
Help the business understand risk
Business leaders and other stakeholders often struggle to understand information risk. Those with a background in areas such as finance or sales do not necessarily understand the relationship between security threats, vulnerabilities, incidents and what they all mean for the organization’s performance and finances. They may simply want to know: are we meeting regulatory obligations, are security investments delivering business value and are we prepared for a ransomware attack?
This means that security leaders and practitioners often assume responsibility for identifying what to measure and report. With such a wide range of security-related measurements to choose from, it is all too easy to veer off into technical details. If measurements are too detailed and focused on technical matters, stakeholders may be confused, remain uninformed or even be misled about information risk. We must therefore work to provide security measures that the business understands, finds useful and which lead to actionable outcomes.
Select measures carefully
Security practitioners have historically attempted to measure attributes related to controls, assets, vulnerabilities, threat events, incidents and loss. However, it is a near-impossible task to measure everything all of the time. Identifying, collecting, aggregating, analyzing and refining measurements takes dedicated staff, valuable time and available budget – all of which are usually in short supply.
We must, therefore, start by asking the following questions before we proceed with aggregating enormous amounts of data:
- Why do we need to measure this?
- Who is going to see it?
- What is the question that this measurement helps to answer?
- What is the narrative that it tells? What is the expected outcome of reporting?
- Does it align to business objectives?
What can be measured?
To enable security practitioners to find the right measurements that support effective decision-making, it is necessary to understand the questions that business leaders and other stakeholders have about security. As noted earlier, business stakeholders may simply want to know:
- Are we meeting regulatory obligations?
- Are investments in security delivering value to the business?
- How prepared are we for a ransomware attack?
We recommend that organizations craft key indicators to respond to these questions, expressed as either key performance indicators (KPIs) or key risk indicators (KRIs). KPIs represent an expression of progress towards strategic aims and business goals, whereas KRIs are an indication of the level of risk and a warning sign that a risk may be above or below the agreed tolerance. Sample security KPIs and KRIs that may help answer these questions are below:
- % key controls implemented
- % critical applications assessed
- % critical devices patched
- % critical vulnerabilities beyond SLA
- cumulative financial loss
Whether choosing KPIs or KRIs, it is important to aspire to provide only a small number of key indicators at any time. Limiting the number of key indicators reported helps to relate information security to business priorities, and these should be regularly updated to show trends over time.
The primary challenge for information security teams is to report on measurements that are meaningful and useful to different stakeholders. Once key indicators are identified and agreed upon, security practitioners will need to identify lower-level metrics that can be aggregated to support them.
Measuring for success
While awareness of cyber threats is growing, many business leaders and other decision-makers have low confidence in how to manage information risk – because they don’t understand it, let alone know how to effectively measure it. By driving appropriate lines of questioning and measurement, security practitioners have an opportunity to raise that level of confidence with measurements that are trustworthy, relevant, timely and actionable.
Finding an effective way to measure and report on information security does have a real payoff. Organizations that can maintain an understanding of how information risk is likely to impact operations and performance and can build on that understanding to ask additional questions for added insight will be much better equipped to thrive in an uncertain, fast-changing business environment.
Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.