Metrics’ Role in Cyber Transformation

We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organizations focused on the information that matters. But with so many data points available to measure security, it is difficult to know where to begin. Security practitioners must constantly question what data they collect and why. Only by providing relevant measures can we understand how security impacts the business and enables strategic transformation.

Help the business understand risk

Business leaders and other stakeholders often struggle to understand information risk. Those with a background in areas such as finance or sales do not necessarily understand the relationship between security threats, vulnerabilities, incidents and what they all mean for the organization’s performance and finances. They may simply want to know: are we meeting regulatory obligations, are security investments delivering business value and are we prepared for a ransomware attack?

This means that security leaders and practitioners often assume responsibility for identifying what to measure and report. With such a wide range of security-related measurements to choose from, it is all too easy to veer off into technical details. If measurements are too detailed and focused on technical matters, stakeholders may be confused, remain uninformed or even be misled about information risk. We must therefore work to provide security measures that the business understands, finds useful and which lead to actionable outcomes.

Select measures carefully

Security practitioners have historically attempted to measure attributes related to controls, assets, vulnerabilities, threat events, incidents and loss. However, it is a near-impossible task to measure everything all of the time. Identifying, collecting, aggregating, analyzing and refining measurements takes dedicated staff, valuable time and available budget – all of which are usually in short supply.

We must, therefore, start by asking the following questions before we proceed with aggregating enormous amounts of data:

  • Why do we need to measure this?
  • Who is going to see it?
  • What is the question that this measurement helps to answer?
  • What is the narrative that it tells? What is the expected outcome of reporting?
  • Does it align to business objectives?

What can be measured?

To enable security practitioners to find the right measurements that support effective decision-making, it is necessary to understand the questions that business leaders and other stakeholders have about security. As noted earlier, business stakeholders may simply want to know:

  • Are we meeting regulatory obligations?
  • Are investments in security delivering value to the business?
  • How prepared are we for a ransomware attack?

We recommend that organizations craft key indicators to respond to these questions, expressed as either key performance indicators (KPIs) or key risk indicators (KRIs). KPIs represent an expression of progress towards strategic aims and business goals, whereas KRIs are an indication of the level of risk and a warning sign that a risk may be above or below the agreed tolerance. Sample security KPIs and KRIs that may help answer these questions are below:

  • % key controls implemented
  • % critical applications assessed
  • % critical devices patched
  • % critical vulnerabilities beyond SLA
  • mean-time-to-respond
  • cumulative financial loss

Whether choosing KPIs or KRIs, it is important to aspire to provide only a small number of key indicators at any time. Limiting the number of key indicators reported helps to relate information security to business priorities, and these should be regularly updated to show trends over time.

The primary challenge for information security teams is to report on measurements that are meaningful and useful to different stakeholders. Once key indicators are identified and agreed upon, security practitioners will need to identify lower-level metrics that can be aggregated to support them.

Measuring for success

While awareness of cyber threats is growing, many business leaders and other decision-makers have low confidence in how to manage information risk – because they don’t understand it, let alone know how to effectively measure it. By driving appropriate lines of questioning and measurement, security practitioners have an opportunity to raise that level of confidence with measurements that are trustworthy, relevant, timely and actionable.

Finding an effective way to measure and report on information security does have a real payoff. Organizations that can maintain an understanding of how information risk is likely to impact operations and performance and can build on that understanding to ask additional questions for added insight will be much better equipped to thrive in an uncertain, fast-changing business environment.

Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War

To learn more about our cybersecurity solutions, contact us. 

Joseph Burkard

Director
Security and Privacy

Subscribe to Topics

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Load More