Early in my career I wish I knew what I didn’t know. I frequently found myself in situations where leadership would ask me for metrics. So, I would go to our existing security solutions, review the dashboard, and share the mountain of technical metrics that we had.
Those conversations didn’t go so well.
Since then I’ve used a basic three-tiered rubric to think about security metrics (you really need to present different data to different audiences ):
- Technical metrics – traditionally these are the types of metrics provided by off-the-shelf security tools. If we take vulnerability management as an example, this includes things such as the number of medium, high, and critical severity vulnerabilities. But really, who cares that you have 200,000 or 2 million vulnerabilities. Depending on the context, both can seem like a lot.
- Operational metrics – we need to transform the mountain of technical data into metrics that can drive operational improvements. This can include items such as the average time it takes to process and prioritize new vulnerabilities or the average time to remediate vulnerabilities.
It’s not enough to have those ‘point-in-time’ measures. You must also be able to analyze a trend over time and compare it to expected thresholds, to understand the root cause.
- Executive metrics – even with good operational metrics at hand it turns out that many executives might not actually care to see all the details that drive your team’s activities on a day-to-day basis. As a result, you need to transform your operational metrics into higher level executive information. For example, you can measure the window of exposure to critical flaw by business unit with, yes of course, a trend over time. After all, isn’t this why you have a vulnerability management program to begin with? And this will help your senior leadership to understand how cyber risk could impede the activities of different business units.
CISOs and security leaders need to be able to zoom-in and zoom-out of these three tiers to be able to tell the organization’s cybersecurity story in a meaningful way, especially as they tell the story to the CEO and the board.
I’ve tracked @SeeMetrics from the start and this is exactly why I’m excited about what they are building. It used to be a huge manual task to build these technical, operational, and executive metrics. Now it’s easier to understand where we as security leaders and CISOs should be paying attention and, perhaps more importantly, tell a data-driven story about cybersecurity risk.
As an example, take a look at their recent product update around quantifying ransomware readiness – you can gain a macro view of readiness, historical trends, and the drill-down metrics that make up this number so you can quickly see the gaps and prioritize the actions. It gives you the narrative you need backed with the data you currently can’t easily access.