.png)
In our most recent webinar, we looked into how to build and manage a cybersecurity metrics program well, and the things we can achieve by doing so – including effective storytelling.
As many CISOs and security teams agree, questions like “Are we secure?”, “Are we compliant?”, “Did we improve?” and “How are we trending against specific threats?” are hard to answer as they require a lot of data collection and reliance on different experts. And in the end, the answers often don’t add up to a cohesive narrative.
The world of cybersecurity is so dynamic that in answering such questions, the road from point A to point B always has a detour or two, if not more. Generally speaking, by the time the data is collected, it is often no longer even relevant or right.
What versus How
Understanding what needs to be measured is key. But that’s just the first step. The real challenge lies in the how. The lack of standardization in measurements makes it difficult to gauge organizational performance against set policies and frameworks. Many organizations end up with dashboards that display results in stand-alone numbers or percentages without context.
For instance, you get a 70% score on a certain measurement. But this only raises more questions: “Is this good or bad? Are we better or worse off than before?”
A common issue is the overwhelming amount of disparate information presented, making it hard to understand the core message. Like too many dots in a connect-the-dots puzzle, it’s hard to see which dot should connect with which other dot. It’s hard to create a consistent story line. This lack of consistency leads to security leaders having to re-educate their audience every time they present metrics.
Watch the webinar recording >>
Iterative storytelling with reusable metrics
Metrics can be used for a variety of storytelling purposes, from board reporting to measuring compliance, from showing program effectiveness to enforcing policy. To excel in any of these areas, we've identified seven new standards for what metrics should be:
- Correlatable
- Contextualized
- Historical
- Customizable
- Flexible
- Continuous
- Actionable
With reusable, correlatable, customized metrics that are readily available and placed in context, no matter what story you want to tell – you are not starting from scratch every time you need to craft a strategy or present to your board. You have the insights you need on a continuous basis.
Let's say you want to tell a story about your program effectiveness.
Here’s what it would look like:
1. Frame the discussion: “Measuring program effectiveness”
2. Define the core questions: ”How effective are our programs? Are we improving? Where are we underperforming?”
3. Identify the audience, taking into account the level of granularity you’ll need.
4. Identify the detailed metrics you will need.
Program Effectiveness Board
In assessing program effectiveness, we can zoom into a specific program — for example, security awareness and view the relevant metrics.
This approach is top-down, with metrics generated automatically and connected to various tools. The key is to score the gap between the desired state and the actual state, based on known frameworks.
Now, when needing to measure for a different purpose, let’s say, preparing for an executive meeting in which you want to show the correlation between overall improvement in performance and increase in security training completion, you have all the metrics at the ready.
These seven new standards offer numerous benefits, such as correlating different data sources, providing different points of view, connecting to various tools, and easily visualizing different stories – the stories the security leader wants to tell to each audience based on their needs.
Now, which story do you need to build next? Let us take the hassle out of figuring it out for you…
Watch the webinar recording >>
