Business leaders want to know they’re getting the most out of their investments. That applies to people, products, vendors, resources, and infrastructure—and it also applies to cybersecurity solutions. At a time when hardly a day goes by without a new cyberattack making headlines, corporate boards are concerned with making sure they have the right solutions in place to keep their systems and networks as safe as possible.
Unfortunately, measuring the effectiveness of cybersecurity solutions is not easy, mainly because it is impossible to prove a negative. How do you quantify the number of attacks that didn’t happen? The amount of money that wasn’t lost? The severity of the regulatory penalties that weren’t incurred? Security teams are oriented around preventing negative outcomes rather than generating positive ones, which makes demonstrating return on investment (ROI) to board members a challenge. Fortunately, it’s a problem with a solution: embracing metrics. By creating a culture of metrics within security teams, organizations can find creative—not to mention useful—ways to demonstrate the effectiveness and value of the solutions in use.
Effectively Communicating with Decision Makers
It’s often said that the only thing worse than a bad measurement is no measurement. This isn’t unique to cybersecurity—marketers, for example, need to know how their campaigns are performing, while sales teams need to project potential revenue. Hard numbers and precise metrics are obviously preferred, but even imprecise ones can give decision makers a helpful impression of how things are going. Without metrics, organizations are left to base their decisions off anecdotal evidence and gut feelings. For security professionals, swapping anecdotes might share important information—but it’s unlikely to satisfy board members who want to see evidence that they are getting the most out of their cybersecurity investments.
There are some security metrics that are quantitative. Dwell time (the amount of time an attacker spends in the network before detection) is one. Time to resolution (the amount of time between when an incident is detected and when it is resolved) is another. These can be helpful, but they can also be fuzzy—there are many factors that go into rising and falling dwell time and resolution rates, and it can be difficult to effectively convey context to those without a security background. Instead, let’s take a step back. At their core, metrics like dwell time and time to resolution are really just proxies for what you really want to convey—which is how well your security tools are operating and how responsive your organization is to threats. Creating metrics that measure those factors over time can relay the efficacy of a cybersecurity program more effectively than counting stats like dwell time ever could.
Tracking Against Established Frameworks and Known Threats
One of the best ways to measure your attack preparedness is to see how it compares to established frameworks. The National Institute of Standards and Technology (NIST) is an agency within the U.S. Department of Commerce that regularly releases and updates security frameworks to serve as guidelines for organizations seeking to better protect themselves. Tracking how your security stack measures up to the recommendations made in the NIST Cybersecurity Framework (CSF) or Privacy Framework (PF) can provide a valuable measuring stick—especially if you can reduce it to a single, easily digestible number, such as percentage alignment. This also allows you to track performance over time, which is another valuable way to demonstrate progress to board members and other decision makers. The same can be done with audit results and other external reviews. MITRE is another respected organization that publishes regular cyber defense frameworks, and if your organization undergoes a periodic SOC 2 audit, consider comparing those results year-over-year.
This same logic applies to internal assessments as well. Independent of NIST frameworks or other security standards, do you have a solid grasp on the threats that your specific industry, company, environment, or product tends to face? And do you have a way to measure those threats? Most importantly, are you trending in the right direction when it comes to mitigating them? It isn’t as simple as putting together a metric based on “number of intruders detected” or “number of attackers quarantined,” but metrics don’t need to be black and white to be effective. Identifying the most pressing threats and cataloging how they are addressed is critical. Simply put, it’s incredibly valuable to be able to say, “here’s a risk we identified, here’s how we measured it, here’s how we addressed it, and here’s what it cost.”
Making Metrics the Norm
When you’re talking to board members and other business decision makers, it’s important to be able to speak to cybersecurity metrics in a holistic manner. Granted, not every board is the same—and board members with technical expertise may appreciate seeing vulnerability statistics and other high-level numbers. But generally, your best bet is to frame things in terms of enterprise risk management. Identifying and quantifying risks, measuring performance against established standards, and consolidating those measurements to easily digestible and understandable metrics can help paint a more complete picture of the effectiveness—and value—of a cybersecurity program. Building a culture of metrics within the IT and security teams helps create an environment where tracking performance over time in clear and understandable ways becomes the norm—making it easier to provide business decision makers with the information they need.
Greg Notch is the Chief Information Security Officer (CISO) at Expel.
