Hello 2024! What a pleasure to have my daily metrics updated while I sip my morning coffee…
In the last twelve months, the cybersecurity performance management landscape has evolved considerably. Here I share with you the observations we’ve gathered from our clients, partners and community, who all underscore an incredible shift in the demand for not only data consolidation but also a simplification layer that would decipher and make sense of all the data that they, as leaders, need to rely on.
In 2023, the expectation on CISOs and security leaders to provide comprehensive reports on cybersecurity performance continued to intensify. Across the industry, there has been a growing emphasis on enhancing the soft skills of security leaders. Headlines such as Security Week’s “CISOs and Board Reporting – An Ongoing Problem”, point to the increased focus on effective communication with the board.
Simultaneously, there has been mounting pressure to substantiate and justify cybersecurity budgets. In an article titled, “How to calculate cybersecurity ROI with concrete metrics”, TechTarget delved into the complexities of creating a compelling security ROI, reflecting concerted efforts to address this critical aspect.
But let’s not let these headlines skew our perspective. In 2023, CISOs worked hard – so hard that CISO Burnout was a trending topic – to meet the above mentioned demands.
So, why is there this gap between expectation and burnout?
The challenge was in part due to the thankless task of managing metrics. When we spoke with security leaders about metrics, we identified a common challenge — they find themselves at an impasse. Some grapple with the ongoing dilemma of determining what metrics to measure. Others have invested much time and effort in manual spreadsheets. Some paid handsome sums for outsourced services from prominent consulting firms (commonly referred to as the Big Four). More and more companies hired dedicated data analysts to navigate and leverage Business Intelligence (BI) tools. Despite these efforts, the outcomes have proven suboptimal and failed to meet expectations.
All of the above options involve aggregating data from diverse sources and formats, across different time periods. And yet, despite so much effort, they only provide static snapshots of a subset of variables, which, in all likelihood have already changed by the time the report is produced. They are time-stamped, outdated outcomes in a dynamic world, and they are expensive. They don’t allow organizations to move beyond isolated data points and identify interconnected pieces and trends for meaningful analysis.
While the challenges above highlight what’s been missing, they also cultivate a fertile ground for innovation and the emergence of different approaches. As we step into 2024, the industry is embracing new opportunities and we are grateful to our early adopters community.
So much is changing and it’s all very exciting
- Shifting from manual to automated approaches — while executives in sales, marketing, human resources, finance, and other business units have long benefited from centralized platforms such as Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) systems that provide real-time progress and performance metrics, that in the year 2023 many CISOs and their teams still relied on static, offline, manually-fed spreadsheets was quite unfathomable. This of course created a wall which only hindered them and prevented them from doing the right thinking.
Towards the end of the year, finally, we started to see a growing shift to new approaches, including building homegrown metrics programs and/or deploying automated platforms.
- A growing desire to break down silos — many CISOs and security leaders continue to find themselves in a silo. To effectively govern their organization, they must have clear visibility into its trends. This realization dawned when one of our earliest clients asked us to work with their code protection team lead on their integration. The team leader told us, "For the first time, leadership won't require my time for risk assessments and standard processes—they now have a comprehensive view through SeeMetrics."
This concept is gaining momentum. Performance management extends beyond providing security leadership with insights into metrics; it entails fostering transparency in operations, eliminating the need for significant time investment in data sharing. 2024 is likely to see many CISOs and security leaders reaching for this missing analytical layer, fed by real-time data.
- Telling the story as you need it — a crucial insight our customers shared with us involves their frustration with the repetitive task of measuring the same metric, each time adapting it to a different storytelling context. This diversion of attention from securing the company to the complexities of data ingestion processes blurs the focus of subject matter experts (SMEs).
In 2024, targeted storytelling, backed by the relevant data, will make for more meaningful collaborations within security as well as between security and other departments, all the way to the board.
What to expect in 2024
The ability to measure everything – in the absence of a metrics program, conveying success becomes a challenge, both internally among peers and externally. The complexity lies in the ambiguity of how to measure aspects such as the security program's effectiveness, the readiness to defend against a threat, or even the success of the most recent tool(s) deployed.
As expectations on the security leadership to communicate progress grow, the paradigm will continue to shift away from compliance, characterized by perfunctory "checking the boxes," and will be replaced by real-world assessments of control performance. This is where a comprehensive platform will prove invaluable, enabling security leaders not only to measure every facet but also to leverage each metric for distinct purposes. In 2024, such a platform will serve as the key to achieving success in the dynamic landscape of security measurement and communication.
In essence, the CISO's role will continue to transform, requiring a strategic blend of performance insights and communication, resulting in the capacity to “manage everything”. This approach will be crucial in steering through the complexities that may unfold in 2024.
CISO as the data champion – the transition to resilience will be underscored by the pivotal role CISOs and security leaders will play as active data contributors. These leaders will become data champions – like their peers in other business units who use automated data platforms – and will be able to easily communicate trends, progress, and needs. But be sure to look for the right tool - creating a security data lake is a great step forward. But then what would you end up doing with a lake? Do you have your boat? Skipper training etc…?
For metrics, KPIs and data consolidation for management purposes, you need a sophisticated wisdom layer that will allow you to navigate in the sea of data seamlessly.
No more chasing after data – in 2024, security leaders are poised to truly enjoy their morning coffee, knowing that the most up-to-date metrics are at their fingertips. This trend is already underway, as more and more CISOs are now equipped with dedicated performance management tools to efficiently oversee their organizations.
Recommended Reading From 2023
If you have some time over the holidays, here are a couple of great links.
- Video: How to communicate the most effective narrative to different stakeholders, in the context that matters most to them.