Connect with us

Hi, what are you looking for?


Risk Management

Why Business Has a Problem With Security Metrics

Security Metrics Need to Extend beyond Quantitative Factors

Security Metrics Need to Extend beyond Quantitative Factors

Metrics are tied to the performance of information security professionals – vulnerability close rates, timelines, and criticality ratings. However, when used properly, security metrics can provide so much more. Enabling organizations to take a pro-active rather than tactical, reactive security posture. Many security operations teams are still grappling with how they can leverage security metrics to implement a predictive approach to security to minimize the risk of cyber-attacks and insider threats.

According to the 2015 Cybercrime Survey by PwC, more and more boards of directors now take a very active interest in cyber security. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans. As a result, security metrics have taken center stage when it comes to providing the necessary information to the C-suite and boards. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision-making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.

Security Metrics

The challenge for many security professionals is translating the scope, scale, and effectiveness of security initiatives into terms that can be understood by executives and boards. To illustrate this point, let’s review some examples. Traditionally, security operations teams have reported a familiar set of quantitative metrics to their leadership team including:

● Number of vulnerabilities

● Number of incidents

● Average time a vulnerability remains unpatched

Advertisement. Scroll to continue reading.

While these metrics may be important for the security practitioner, they’re not necessarily relevant to security executives and board members since they don’t communicate very well the impact these have on the business. Upper management and boards want to understand what the organization is doing to prevent security breaches and the effectiveness these measures, its exposure to future risks and threats, and what areas can be improved.

Instead, security metrics need to extend beyond quantitative factors to be able to more effectively measure and communicate the organization’s cyber risk posture as it relates to business goals — in terms that both executives and board members can easily comprehend. One approach, is to focus on sensitive data that could be exfiltrated due to existing vulnerabilities or the financial impact associated with critical assets being rendered unusable by an attack, rather than reporting on technical security statistics that are not linked to business outcomes.

These are measures that non-technical executives can easily understand. What’s needed is a shift from crisis management to security analytics. Besides measuring control effectiveness, number of vulnerabilities, password compliance, patch latency, etc., reporting to the C-Suite and board room should contextualize security intelligence to its business risk.

Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – cyber risk management – is emerging that helps to not only to aggregate internal security intelligence and external threat data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that align with business objectives.

Some of these technologies elevate security metrics to the next level by leveraging artificial intelligence to move from a core analytical approach to a pro-active, predictive model. Looking at specific patterns and benchmarking them with external findings can provide security operations teams with a more accurate way to determine the likelihood and probability of breaches and their associated impact.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.