A regular audience with executive management and the board is part of the CISO role now. And security leaders know they need to bring measurable information to the conversation to explain and justify their performance and spending. Metrics are no longer optional in security management, and if risk leaders aren’t tracking elements such as mean time to detect and respond as well as attack frequency, they are leaving out a valuable aspect of a holistic security program.
But what else should we be measuring? Are there new, different, or emerging measurements that address other concerns?
Recently, we brought you the worst metrics used in security. This time, we’ve asked security professionals what they think are overlooked or newly emerging metrics that can help make the case for security in new ways.
Security Team Proficiency
As Hank Thomas, CEO at Strategic Cyber Ventures, a Washington, DC-based venture capital firm that invests in cybersecurity companies, says:
“Many have found themselves in a position where they are spread so thin across their security stack that duplication of effort and smooth collaboration amongst their tools and teams has become highly complex. They don’t think they can take the time to train or test their teams — often it is trial by fire and on-the-job training. This can and should be measured through red-team exercises and other war games that stress teams and their abilities to operate in complex security environments.
“The military does this all the time to prepare for war with much success. Tools and teams that don’t operate to standard go back for retraining, and the process is constantly repeating itself. Great metrics come out of teams that spend time doing efforts like these.”
Security Team Satisfaction
Burnout is a well-documented hazard of the high-stress, high-stakes career of infosec. But what if there were ways to measure how staff members are doing in order to keep them happy?
Says Jason Albuquerque, CISO and CIO at Carousel Industries: “I would strongly encourage my CISO peers to seriously to look at personnel metrics. I think a lot about my staff and guiding them along their career paths, how we allocate their time to fully leverage our resources and not burn them out. We also set strategic KPIs around innovation and upstream communication.”
Support of the Business Mission
Albuquerque also advises finding ways to measure how well security’s efforts match up with the objectives of the organization as a whole.
“We look at how we build competitive advantage, how we create new opportunities in areas such as managed services, how many opportunities our security team is involved with, how many conversations we have with clients around security services, how we have enabled sales or impacted the opportunity pipeline,” he says. “By presenting data that demonstrates how the infosec team is successfully supporting the business in both areas, it accentuates the value delivered on a daily basis.”
Perceived Privileged Users Versus Actual Privileged Users
Aaron Turner, president and chief security officer of HighSide, says: “One metric that I’ve been working with some of our consulting customers on is the enumeration of privileged users and user groups and critical intellectual property.”
For example, he says: “Let’s say that an enterprise has a server with a large amount of intellectual property stored on it. Begin by enumerating all of the IT operations staff who have access to the server storing critical IP. Sometimes this becomes difficult in large-scale enterprise environments, especially where nested groups are used to allow different IT operations teams to have access to the server for operations and maintenance purposes.”
The end result, says Turner, should be a clear understanding of who has access to critical IP assets, and how that needs to be modified for better protection going forward.
Potential Cost of Security Incident
No one enjoys thinking about it, but it’s better to be prepared with numbers on how much a data breach or security incident could cost the organization than to be totally shocked should one occur. It is also useful to understand how much you may have to fork over for noncompliance with laws in an ever-growing regulation landscape.
Henry Harrison, CTO of Garrison, says, “If CISOs want to engage with strategic business risks, the metrics they should be focusing on are ‘How costly could an incident potentially be for us?’ and ‘How much do we think it would cost an attacker to do that to us?’ The latter is what CISOs should really be asking their red team. But it’s rarely what they are asking, because they know they won’t like the answer.”
As Jason Lau, CISO of Crypto.com, says: “Compare fines resulting from failing to comply with local regulation against other companies in the same industry. With the growing number of regulations around the world, from GDPR to CCPA, showing to management that (hopefully) you don’t have any fines helps to justify the direction and success of the security and privacy strategy that is being implemented.
Return on Investment
ROI is nothing new, but it still might not have made it into your Information Security department. (You might have even done your very best to keep it out.)
Nevertheless, Roger Hale, CISO-in-Residence at YL Ventures, says “I prefer to provide metrics showing the value of the past investments, as well as where there is still risk to be addressed. Focus areas include data showing our Cyber Insurance levels, external internet risk scores, the executive summary of our annual third-party risk assessment, with agreed-upon mitigation/remediation activity, and our security program coverage map broken out by CSF categories of: Identify or (Visibility), Protection, Detection, Response and Recover. This approach provides the board with information they need to assure that the company is investing in the right areas of security and privacy and helps them to accept the residual risk.”
George Wrenn, CEO of CyberSaint Security and former CSO of Schneider Electric has a mathemathical equation he uses for ROI measurement, which looks like this: (Mitigation coefficient X (Likelihood X $ Impact) – Cost of Completion)/Cost of Completion.
“The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST’s methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie.”