Cybersecurity

Metrics’ Role in Cyber Transformation

Joseph Burkard
May 23, 2023
4 min read

We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organizations focused on the information that matters. But with so many data points available to measure security, it is difficult to know where to begin. Security practitioners must constantly question what data they collect and why. Only by providing relevant measures can we understand how security impacts the business and enables strategic transformation.

Help the business understand risk

Business leaders and other stakeholders often struggle to understand information risk. Those with a background in areas such as finance or sales do not necessarily understand the relationship between security threats, vulnerabilities, incidents and what they all mean for the organization’s performance and finances. They may simply want to know: are we meeting regulatory obligations, are security investments delivering business value and are we prepared for a ransomware attack?

This means that security leaders and practitioners often assume responsibility for identifying what to measure and report. With such a wide range of security-related measurements to choose from, it is all too easy to veer off into technical details. If measurements are too detailed and focused on technical matters, stakeholders may be confused, remain uninformed or even be misled about information risk. We must therefore work to provide security measures that the business understands, finds useful and which lead to actionable outcomes.

Select measures carefully

Security practitioners have historically attempted to measure attributes related to controls, assets, vulnerabilities, threat events, incidents and loss. However, it is a near-impossible task to measure everything all of the time. Identifying, collecting, aggregating, analyzing and refining measurements takes dedicated staff, valuable time and available budget – all of which are usually in short supply.

We must, therefore, start by asking the following questions before we proceed with aggregating enormous amounts of data:

  • Why do we need to measure this?
  • Who is going to see it?
  • What is the question that this measurement helps to answer?
  • What is the narrative that it tells? What is the expected outcome of reporting?
  • Does it align to business objectives?

What can be measured?

To enable security practitioners to find the right measurements that support effective decision-making, it is necessary to understand the questions that business leaders and other stakeholders have about security. As noted earlier, business stakeholders may simply want to know:

  • Are we meeting regulatory obligations?
  • Are investments in security delivering value to the business?
  • How prepared are we for a ransomware attack?

We recommend that organizations craft key indicators to respond to these questions, expressed as either key performance indicators (KPIs) or key risk indicators (KRIs). KPIs represent an expression of progress towards strategic aims and business goals, whereas KRIs are an indication of the level of risk and a warning sign that a risk may be above or below the agreed tolerance. Sample security KPIs and KRIs that may help answer these questions are below:

  • % key controls implemented
  • % critical applications assessed
  • % critical devices patched
  • % critical vulnerabilities beyond SLA
  • mean-time-to-respond
  • cumulative financial loss

Whether choosing KPIs or KRIs, it is important to aspire to provide only a small number of key indicators at any time. Limiting the number of key indicators reported helps to relate information security to business priorities, and these should be regularly updated to show trends over time.

The primary challenge for information security teams is to report on measurements that are meaningful and useful to different stakeholders. Once key indicators are identified and agreed upon, security practitioners will need to identify lower-level metrics that can be aggregated to support them.

Measuring for success

While awareness of cyber threats is growing, many business leaders and other decision-makers have low confidence in how to manage information risk – because they don’t understand it, let alone know how to effectively measure it. By driving appropriate lines of questioning and measurement, security practitioners have an opportunity to raise that level of confidence with measurements that are trustworthy, relevant, timely and actionable.

Finding an effective way to measure and report on information security does have a real payoff. Organizations that can maintain an understanding of how information risk is likely to impact operations and performance and can build on that understanding to ask additional questions for added insight will be much better equipped to thrive in an uncertain, fast-changing business environment.

Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War

To learn more about our cybersecurity solutions, contact us. 

Joseph Burkard

Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More