Metrics’ role in cyber transformation This blog post was authored by Joseph Burkard - Director, Security and Privacy on the technology insights blog. We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organisations focused on the information that matters. But with so many data points available to measure security, it is difficult to know where to begin. Security practitioners must constantly question what data they collect and why. Only by providing relevant measures can we understand how security impacts the business and enables strategic transformation. Topics Cybersecurity and Privacy Help the business understand risk Business leaders and other stakeholders often struggle to understand information risk. Those with a background in areas such as finance or sales do not necessarily understand the relationship between security threats, vulnerabilities, incidents and what they all mean for the organisation’s performance and finances. They may simply want to know: are we meeting regulatory obligations, are security investments delivering business value and are we prepared for a ransomware attack? This means that security leaders and practitioners often assume responsibility for identifying what to measure and report. With such a wide range of security-related measurements to choose from, it is all too easy to veer off into technical details. If measurements are too detailed and focused on technical matters, stakeholders may be confused, remain uninformed or even be misled about information risk. We must therefore work to provide security measures that the business understands, finds useful and which lead to actionable outcomes. Select measures carefully Security practitioners have historically attempted to measure attributes related to controls, assets, vulnerabilities, threat events, incidents and loss. However, it is a near-impossible task to measure everything all of the time. Identifying, collecting, aggregating, analysing and refining measurements takes dedicated staff, valuable time and available budget – all of which are usually in short supply. We must, therefore, start by asking the following questions before we proceed with aggregating enormous amounts of data: Why do we need to measure this? Who is going to see it? What is the question that this measurement helps to answer? What is the narrative that it tells? What is the expected outcome of reporting? Does it align to business objectives? What can be measured? To enable security practitioners to find the right measurements that support effective decision-making, it is necessary to understand the questions that business leaders and other stakeholders have about security. As noted earlier, business stakeholders may simply want to know: Are we meeting regulatory obligations? Are investments in security delivering value to the business? How prepared are we for a ransomware attack? We recommend that organisations craft key indicators to respond to these questions, expressed as either key performance indicators (KPIs) or key risk indicators (KRIs). KPIs represent an expression of progress towards strategic aims and business goals, whereas KRIs are an indication of the level of risk and a warning sign that a risk may be above or below the agreed tolerance. Sample security KPIs and KRIs that may help answer these questions are below: % key controls implemented % critical applications assessed % critical devices patched % critical vulnerabilities beyond SLA mean-time-to-respond cumulative financial loss Whether choosing KPIs or KRIs, it is important to aspire to provide only a small number of key indicators at any time. Limiting the number of key indicators reported helps to relate information security to business priorities, and these should be regularly updated to show trends over time. The primary challenge for information security teams is to report on measurements that are meaningful and useful to different stakeholders. Once key indicators are identified and agreed upon, security practitioners will need to identify lower-level metrics that can be aggregated to support them. Measuring for success While awareness of cyber threats is growing, many business leaders and other decision-makers have low confidence in how to manage information risk – because they don’t understand it, let alone know how to effectively measure it. By driving appropriate lines of questioning and measurement, security practitioners have an opportunity to raise that level of confidence with measurements that are trustworthy, relevant, timely and actionable. Finding an effective way to measure and report on information security does have a real payoff. Organisations that can maintain an understanding of how information risk is likely to impact operations and performance and can build on that understanding to ask additional questions for added insight will be much better equipped to thrive in an uncertain, fast-changing business environment. Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War. To learn more about our cybersecurity solutions, contact us. Cybersecurity As technology rapidly evolves and digital adoption accelerates, Protiviti's cybersecurity and privacy team turns cyber risk into an advantage–protecting every layer of your organisation to unlock new opportunities, securely. Security We help you understand and manage the evolving cybersecurity and privacy risks you face, determine your readiness to address them, tailor your cybersecurity governance, and communicate effectively with stakeholders. Cyber Risk Quantification By leveraging quantitative modelling, we empower you to fully understand the risks you are facing in ways that make sense for your business. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Featured insights BLOGS Tackling gender bias: Women in cybersecurity Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be... SURVEY The Innovation vs. Technical Debt Tug of War Technology leaders are exploring new ways to drive innovation and maximise the value of IT in a changing world driven by disruption and a need for acceleration Executive Summary Innovation is the name of the game in today’s global market.... BLOGS Why Consolidated Security Will Help Meet Cyber Challenges Companies face multiple threats as the security landscape continues to evolve. But how can they get to grips with the cyber risks they face and a record number of data breaches? Taken together, all areas of risk and security are essential in modern... BLOGS Quantitative Cyber Risk Management 101: Baselining and Baseline Cycling Cyber risk is a growing threat to organisations of all shapes and sizes. Cyber risk quantification allows organisations to better understand the financial impact that these risks pose; however, setting the scope of quantification activities and... BLOGS Enhancing cyber capabilities using a threat-driven strategy Senior leaders focused on cybersecurity recognise there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programmes should design defensive capabilities. In addition, depending on the day, the various... Button Button