CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Why Business Has a Problem With Security Metrics

Security Metrics Need to Extend beyond Quantitative Factors

Security Metrics Need to Extend beyond Quantitative Factors

Metrics are tied to the performance of information security professionals – vulnerability close rates, timelines, and criticality ratings. However, when used properly, security metrics can provide so much more. Enabling organizations to take a pro-active rather than tactical, reactive security posture. Many security operations teams are still grappling with how they can leverage security metrics to implement a predictive approach to security to minimize the risk of cyber-attacks and insider threats.

According to the 2015 Cybercrime Survey by PwC, more and more boards of directors now take a very active interest in cyber security. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans. As a result, security metrics have taken center stage when it comes to providing the necessary information to the C-suite and boards. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision-making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.

Security Metrics

The challenge for many security professionals is translating the scope, scale, and effectiveness of security initiatives into terms that can be understood by executives and boards. To illustrate this point, let’s review some examples. Traditionally, security operations teams have reported a familiar set of quantitative metrics to their leadership team including:

● Number of vulnerabilities

● Number of incidents

● Average time a vulnerability remains unpatched

While these metrics may be important for the security practitioner, they’re not necessarily relevant to security executives and board members since they don’t communicate very well the impact these have on the business. Upper management and boards want to understand what the organization is doing to prevent security breaches and the effectiveness these measures, its exposure to future risks and threats, and what areas can be improved.

Advertisement. Scroll to continue reading.

Instead, security metrics need to extend beyond quantitative factors to be able to more effectively measure and communicate the organization’s cyber risk posture as it relates to business goals — in terms that both executives and board members can easily comprehend. One approach, is to focus on sensitive data that could be exfiltrated due to existing vulnerabilities or the financial impact associated with critical assets being rendered unusable by an attack, rather than reporting on technical security statistics that are not linked to business outcomes.

These are measures that non-technical executives can easily understand. What’s needed is a shift from crisis management to security analytics. Besides measuring control effectiveness, number of vulnerabilities, password compliance, patch latency, etc., reporting to the C-Suite and board room should contextualize security intelligence to its business risk.

Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – cyber risk management – is emerging that helps to not only to aggregate internal security intelligence and external threat data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that align with business objectives.

Some of these technologies elevate security metrics to the next level by leveraging artificial intelligence to move from a core analytical approach to a pro-active, predictive model. Looking at specific patterns and benchmarking them with external findings can provide security operations teams with a more accurate way to determine the likelihood and probability of breaches and their associated impact.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.