We recently hosted a webinar on cybersecurity metrics management triumph and horror stories where our expert panelists discussed the best ways of working with metrics — how many to use, which to present to the board, the ones they can’t live without, the ones they need for internal alignment…
Thanks to their candid sharing, we've uncovered several key takeaways that shed light on how security leaders can improve their management of metrics and leverage the data to build the narratives they need based on the stakeholder they are communicating with.
1. There is still no consensus for metrics
Despite the wealth of academic research and available information, the responsibility of determining what metrics to use, how to use them, their frequency, and the allocation of resources still falls squarely on the shoulders of CISOs and security leaders. There are no clear rules or standardization. And there are no one-size-fits-all security metrics that BODs or other executives universally ask about.
2. What you measure depends on maturity of your security organization
Different maturity levels call for different approaches to measurement and might require focusing on distinct aspects of security. Organizations at lower maturity levels are often in the initial stages – they are determining which metrics are most pertinent and they may only employ a few key metrics.
More mature cybersecurity organizations, on the other hand, tend to diversify their metric portfolio as they exhibit a higher degree of control over how they use these metrics, allowing for strategic management and tailored utilization.
3. Leverage automation for scalability
Automation enables organizations to scale their efforts. It helps produce tailored stories for different audiences, from technical teams to executives to BoD. This ensures that everyone in the organization has access to digestible information, fostering a more informed approach to security.
“Curious if you could speak to the gap (if any) between what the ‘audience’ wants, what the audience ‘needs’, and what ‘you [as the security leader]’ want to share.”
-Attendee
“I love this question because one of my biggest learnings doing metrics is you really need to be aligned with where your team, your audience and your stakeholders are at. I’ve seen so many times where people come in and they want to show impact with metrics, and they do so too quickly, and therefore people don’t see the value. You have to think about the maturity of your program, [get] people into the practice of looking at metrics, using it, poking holes at it. The holy grail is to use it to drive decisions.”
- Panelist Susan Chiang, Cloudflare
4. Compliance is a trailing indicator
Compliance is essentially a trailing indicator, reflecting past efforts to meet specific requirements. To truly enhance security, you must be proactive and shift your focus towards indicators that provide insight into the current state as well as trends.
5. Being able to reflect the context is key
Security is dynamic and multi-faceted. The business context in which security operates is key, and it too is constantly evolving. Thus, security metrics should be able to reflect that context while also aligning with and enabling the business. In addition, security leaders must be able to translate these metrics into the organization’s unique business language in order to demonstrate how security efforts align with broader organizational objectives.
6. Customization empowers you to craft narratives tailored to your audience
Different stakeholders possess distinct requirements when it comes to security performance. The ability to tailor information allows you to convey the precise narrative you intend to tell, and it also enables you to do so consistently and effectively. Ensuring that each stakeholder receives the information they need is key to fostering collaboration, garnering support for new purchases, and justifying existing expenses.
In conclusion, security metrics are not just about tracking some numbers; they are about driving meaningful decisions within an organization. By leveraging the dynamic nature of security metrics, using automation, and tailoring metrics to the organization's context, security leaders can craft narratives that resonate with their vision, fueled by an uninterrupted stream of data. Over time, stakeholders not only grow accustomed to this tailored storytelling but also come to depend on and trust it as a continuous source of insight and decision-making.