When it comes to measuring cybersecurity success, those less steeped in the subject matter often boil the whole thing down to one metric: Has your organization been hacked, or hasn’t it?
This puts CSOs in a difficult position because breaches do happen, despite the best-laid defenses. Moreover, just because an organization hasn’t succumbed to a data breach, doesn’t necessarily mean they have the appropriate defenses in place.
To prevent this all-too-common oversimplification of cybersecurity metrics, it’s important that CSOs educate leadership on appropriate success criteria for their security programs. But in an increasingly data-saturated world, what are the core metrics that CSOs should present when communicating the state of security at their organization?
Focus on outcomes over posture
Many executive leaders struggle to prioritize things they can’t measure or quantify. This is why, for CSOs, identifying and agreeing upon cybersecurity metrics is so important. Typically, in security there are two types of metrics you want to measure: compliance and operational. Compliance is, as always, a crucial component of an organization’s security posture. But if disaster strikes, it’s not compliance that you’ll need to report on: It’s a granular view of your operations.
To make their case and answer their leadership’s tough questions about their cybersecurity operations, CSOs should focus on measurable outcomes over posture. The frequency at which CSOs run patches won’t be of interest around the boardroom table. Instead, your leadership will want to see figures for the high-level markers of success that arise when threats are detected.
While there’s no shortage of metrics that CSOs can track, there are three that are critical to monitor so they can report back to the board in a meaningful way when incidents occur: time to detection, time to remediation, and financial position concerning IT’s security budget.
Time to detection (TTD)
This is often the first thing executives worry about, and it should be a no-brainer when CSOs are establishing metrics to watch. How much time passed between when the incident first occurred and when the threat was actually discovered? On average, the time for discovery is around 150 days—not spectacular, and certainly enough time for real damage to be dealt.
In the public sector, however, TTD is even higher: It can take up to a year to identify threats. Stats like this tend to kick-start some alarms among executives, so CSOs should make them aware of the industry standards to avoid panic and a potential rush to the wrong action.
It’s important to remember that less-than-timely threat detection is not solely the fault of IT. More often, it results from a complex set of factors, including an insufficient budget and a lack of appropriate, dedicated resources. Educating leadership about these factors can prompt discussions about increasing security spend, so CSOs should be confident and transparent when explaining their time to detection numbers.
Time to remediation (TTR)
With time to detection as the first crucial metric, it follows that TTR should be the second. Once a CSO has discovered a breach, how long does it take their incident response team to resolve the problem and remove it from their system? This is a stat that should be measured in hours, not days. If it takes days, something in the response pipeline is wrong, and the process needs to be immediately reevaluated.
In addition to tracking TTR, CSOs should focus on improving the efficiency of their team’s response. When their security stack is set up to allow for replication of procedure through automation, decreased response time will follow. CSOs should streamline incident response as much as possible, making sure that when threats with particular signatures are detected, they can be expelled from the system in an efficient and consistent way.
The financial side
The final metric should surprise no one: Your leadership wants the numbers on your financial position. While there is a wide range of reportable statistics related to budget, remember that the goal when presenting to the higher-ups is to make a succinct point about cybersecurity impact and outcomes. With that in mind, there are two financial statistics CSOs should absolutely have ready when speaking in front of decision makers.
First, there’s the percent of your total IT budget that is specifically spent on security. Illustrating how much (or how little) the IT team has to work with in terms of security will help put that work in context. It can sometimes be difficult for non-technical audiences to understand that security only makes up a portion of the total technology budget. They may conflate IT with cybersecurity, assuming the response team has far more resources than they actually do.
CSOs should also bring with them the number of events they have detected, divided by their security budget for that period. By providing an estimated cost for detecting singular events, CSOs can own a measure of efficiency, demonstrating the correlation between security spend and overall cost of detection. This type of measurement presents a great way for CSOs to demonstrate economy of scale, which is crucial during budget talks with your leadership.
When asked to account for breaches or to justify their budget, CSOs can’t afford to show up empty-handed. They need to demonstrate a keen eye for efficiency, growth and success. In order to do that with any degree of reliability, they need appropriate metrics.
The metrics discussed above are just a starting point. It’s crucial that all CSOs find the numbers that best demonstrate their capabilities and work, and that support their organization’s mission. But by establishing and keeping to these basic metrics for success, they can be sure they are well-prepared when it comes to discussing key indicators of success with leadership.