Metrics’ role in cyber transformation This blog post was authored by Joseph Burkard - Director, Security and Privacy on the technology insights blog. We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organisations focused on the information that matters. But with so many data points available to measure security, it is difficult to know where to begin. Security practitioners must constantly question what data they collect and why. Only by providing relevant measures can we understand how security impacts the business and enables strategic transformation. Topics Cybersecurity and Privacy Help the business understand risk Business leaders and other stakeholders often struggle to understand information risk. Those with a background in areas such as finance or sales do not necessarily understand the relationship between security threats, vulnerabilities, incidents and what they all mean for the organisation’s performance and finances. They may simply want to know: are we meeting regulatory obligations, are security investments delivering business value and are we prepared for a ransomware attack? This means that security leaders and practitioners often assume responsibility for identifying what to measure and report. With such a wide range of security-related measurements to choose from, it is all too easy to veer off into technical details. If measurements are too detailed and focused on technical matters, stakeholders may be confused, remain uninformed or even be misled about information risk. We must therefore work to provide security measures that the business understands, finds useful and which lead to actionable outcomes. Select measures carefully Security practitioners have historically attempted to measure attributes related to controls, assets, vulnerabilities, threat events, incidents and loss. However, it is a near-impossible task to measure everything all of the time. Identifying, collecting, aggregating, analysing and refining measurements takes dedicated staff, valuable time and available budget – all of which are usually in short supply. We must, therefore, start by asking the following questions before we proceed with aggregating enormous amounts of data: Why do we need to measure this? Who is going to see it? What is the question that this measurement helps to answer? What is the narrative that it tells? What is the expected outcome of reporting? Does it align to business objectives? What can be measured? To enable security practitioners to find the right measurements that support effective decision-making, it is necessary to understand the questions that business leaders and other stakeholders have about security. As noted earlier, business stakeholders may simply want to know: Are we meeting regulatory obligations? Are investments in security delivering value to the business? How prepared are we for a ransomware attack? We recommend that organisations craft key indicators to respond to these questions, expressed as either key performance indicators (KPIs) or key risk indicators (KRIs). KPIs represent an expression of progress towards strategic aims and business goals, whereas KRIs are an indication of the level of risk and a warning sign that a risk may be above or below the agreed tolerance. Sample security KPIs and KRIs that may help answer these questions are below: % key controls implemented % critical applications assessed % critical devices patched % critical vulnerabilities beyond SLA mean-time-to-respond cumulative financial loss Whether choosing KPIs or KRIs, it is important to aspire to provide only a small number of key indicators at any time. Limiting the number of key indicators reported helps to relate information security to business priorities, and these should be regularly updated to show trends over time. The primary challenge for information security teams is to report on measurements that are meaningful and useful to different stakeholders. Once key indicators are identified and agreed upon, security practitioners will need to identify lower-level metrics that can be aggregated to support them. Measuring for success While awareness of cyber threats is growing, many business leaders and other decision-makers have low confidence in how to manage information risk – because they don’t understand it, let alone know how to effectively measure it. By driving appropriate lines of questioning and measurement, security practitioners have an opportunity to raise that level of confidence with measurements that are trustworthy, relevant, timely and actionable. Finding an effective way to measure and report on information security does have a real payoff. Organisations that can maintain an understanding of how information risk is likely to impact operations and performance and can build on that understanding to ask additional questions for added insight will be much better equipped to thrive in an uncertain, fast-changing business environment. Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War. To learn more about our cybersecurity solutions, contact us. Cybersecurity As technology rapidly evolves and digital adoption accelerates, Protiviti's cybersecurity and privacy team turns cyber risk into an advantage–protecting every layer of your organisation to unlock new opportunities, securely. Security We help you understand and manage the evolving cybersecurity and privacy risks you face, determine your readiness to address them, tailor your cybersecurity governance, and communicate effectively with stakeholders. Cyber Risk Quantification By leveraging quantitative modelling, we empower you to fully understand the risks you are facing in ways that make sense for your business. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More Featured insights BLOGS Tackling gender bias: Women in cybersecurity Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be... SURVEY The Innovation vs. Technical Debt Tug of War Technology leaders are exploring new ways to drive innovation and maximise the value of IT in a changing world driven by disruption and a need for acceleration Executive Summary Innovation is the name of the game in today’s global market.... BLOGS Why Consolidated Security Will Help Meet Cyber Challenges Companies face multiple threats as the security landscape continues to evolve. But how can they get to grips with the cyber risks they face and a record number of data breaches? Taken together, all areas of risk and security are essential in modern... BLOGS Quantitative Cyber Risk Management 101: Baselining and Baseline Cycling Cyber risk is a growing threat to organisations of all shapes and sizes. Cyber risk quantification allows organisations to better understand the financial impact that these risks pose; however, setting the scope of quantification activities and... BLOGS Enhancing cyber capabilities using a threat-driven strategy Senior leaders focused oncybersecurityrecognise there is considerable guidance, best practices, frameworks, regulations and varied opinions on how programmes should design defensive capabilities. In addition, depending on the day, the... Button Button