Security Metrics Need to Extend beyond Quantitative Factors
Metrics are tied to the performance of information security professionals – vulnerability close rates, timelines, and criticality ratings. However, when used properly, security metrics can provide so much more. Enabling organizations to take a pro-active rather than tactical, reactive security posture. Many security operations teams are still grappling with how they can leverage security metrics to implement a predictive approach to security to minimize the risk of cyber-attacks and insider threats.
According to the 2015 Cybercrime Survey by PwC, more and more boards of directors now take a very active interest in cyber security. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans. As a result, security metrics have taken center stage when it comes to providing the necessary information to the C-suite and boards. Whether you’re an engineer or consultant responsible for security and reporting to management or an executive who needs better information for decision-making, security metrics have become an important vehicle for communicating the state of an organization’s cyber risk posture.
The challenge for many security professionals is translating the scope, scale, and effectiveness of security initiatives into terms that can be understood by executives and boards. To illustrate this point, let’s review some examples. Traditionally, security operations teams have reported a familiar set of quantitative metrics to their leadership team including:
● Number of vulnerabilities
● Number of incidents
● Average time a vulnerability remains unpatched
While these metrics may be important for the security practitioner, they’re not necessarily relevant to security executives and board members since they don’t communicate very well the impact these have on the business. Upper management and boards want to understand what the organization is doing to prevent security breaches and the effectiveness these measures, its exposure to future risks and threats, and what areas can be improved.
Instead, security metrics need to extend beyond quantitative factors to be able to more effectively measure and communicate the organization’s cyber risk posture as it relates to business goals — in terms that both executives and board members can easily comprehend. One approach, is to focus on sensitive data that could be exfiltrated due to existing vulnerabilities or the financial impact associated with critical assets being rendered unusable by an attack, rather than reporting on technical security statistics that are not linked to business outcomes.
These are measures that non-technical executives can easily understand. What’s needed is a shift from crisis management to security analytics. Besides measuring control effectiveness, number of vulnerabilities, password compliance, patch latency, etc., reporting to the C-Suite and board room should contextualize security intelligence to its business risk.
Risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality. For each of these, organizations collect huge volumes of data that they need to aggregate, normalize, and then assess for their impact on the business. Fortunately, new technology – cyber risk management – is emerging that helps to not only to aggregate internal security intelligence and external threat data, but more importantly correlates these data feeds with its business criticality or risk to the organization. The end result is automated, contextualized security metrics that align with business objectives.
Some of these technologies elevate security metrics to the next level by leveraging artificial intelligence to move from a core analytical approach to a pro-active, predictive model. Looking at specific patterns and benchmarking them with external findings can provide security operations teams with a more accurate way to determine the likelihood and probability of breaches and their associated impact.