Image Credit: gesrey/Getty
Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
This article was contributed by Joe Partlow, CTO of ReliaQuest
The end of the year has traditionally meant crunch time for organizations to finish their preparations for the upcoming year ahead. New budgets are allocated, and it’s up to the department leads to communicate metrics, results, and challenges from the past year in order to justify the additional spending for next year. In 2021, cybersecurity was under the spotlight like never before, with cybercrime increasing 600% due to the pandemic. Because of this, organizations are forced to address cybersecurity with direct orders from the top: CEOs and board members.
However, among all the metrics that department leaders analyze, one of the most difficult aspects to track is security progress and effectiveness. In fact, measuring this progress remains the primary obstacle for organizations looking to implement an IT security risk management program, so it’s essential that cyber leaders understand how to communicate this to upper management effectively.
As companies begin to implement plans for 2022, it is important for security leads to first meet with their direct reports to discuss which metrics to track, so the foundation for measurement is clearly established. Once that is settled, both parties will need to align on ways to continuously revisit and adjust these metrics to ensure the plan doesn’t become obsolete.
Creating a baseline for the year ahead
When it comes to reporting metrics across an organization, it’s critical for all department leads to have a conversation with their direct reports at least three to four months prior to the reporting stage. This is a crucial step to ensure the department lead is well-prepared and can determine what results will resonate best with the board. From a sales lens, this conversation is fairly straightforward. How many sales leads are you getting per month? How many of those convert into successful sales? How good are you at talking on the phone to prospective clients?
From a cybersecurity lens, however, tracking effectiveness and displaying ROI to the C-suite and board is more complicated. There aren’t any monthly quotas to meet, and many team leaders struggle with ways to display performance.
Deciding which metrics to track is dependent on several factors, such as the size of your organization, how many customers you have, or even where your company headquarters is located. With that said, there are several aspects of an organization’s security posture that should be tracked for businesses of any size.
Aligning on metrics for security
One of the most important skills a security professional can develop is telling a complicated story to a non-technical colleague—and since 63% of security managers believe board members don’t understand the value of new security technologies, telling this story can be a challenge.
The easiest way to have this conversation is to lead with metrics. While these will vary depending on the organization, look to the following metrics that all security team leaders should be aware of, and tactics for communicating that progress to the board.
- Level of preparedness: This metric should be constantly monitored since it shows how prepared a company is for an impending breach. It’s also one of the hardest to communicate to the board because there isn’t a hard and fast number that quantifies how “ready” an organization is. However, encouraging employees to keep corporate-network devices updated and patched is one actionable step and metric you can communicate and track to keep the organization secure.
- Tool efficacy: This is an important one because as a security leader you are responsible for providing insight into what tools and services the security team should invest in. Many services exist that will give you an average third-party vendor rating snapshot, which can be continuously checked on and presented to the board. These ratings are an effective way to show progress to a non-technical employee and justify the budget needed for specific security infrastructure.
- Breach attempts or security incidents: While it’s a hard one to discuss, this is a necessary metric to communicate. You can show how many times attackers not only tried to attack the corporate network, but also how many were detected and blocked. Highlighting a decrease in the number of times these events occur year-over-year will be a key benchmark for board members to measure in order to determine the success of their security programs and where changes may be necessary.
- Meantime to detect, resolve and contain attacks: These three should be tracked separately, but analyzing these metrics together can provide new insights about where certain parts of an incident response plan might be lacking. These measurements provide significant value to board members when you’re trying to convince them to invest more resources into security tools that will make the company’s response to a potential cyberattack as quick and efficient as possible.
- Trending and mapping risks to the business: Demonstrating that the security program is addressing the more important risks to the business is critical to get buy-in and support from the board. Mapping the critical business risks back to the security controls and technologies you are implementing is the best way to show ROI along with trending the results.
All good plans should be consistently revisited and adjusted, and that’s especially true for cybersecurity. The threat landscape promises to evolve, with cybercriminals constantly leveraging new attack methods. This is not something security leaders and organizations should be thinking about just during the planning and reporting seasons, but all year long. Without refreshed response plans and solid security metrics, sophisticated attackers will outpace your organization.
Security leaders will be able to mitigate some of the most common missteps and oversights organizations make if they take the time to determine how best to measure progress and therefore effectively communicate their needs up to the C-Suite and board.
Joe Partlow is CTO of ReliaQuest
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!