At their core, boards approve the strategic direction of an organization as well as how the organization allocates resources and mitigates risk. Security leaders have to present metrics that align with business objectives to make an impact at the board level. Here’s why many security metrics often fall short of this goal:
- Metrics such as the number of daily phishing alerts don’t provide context—that is, they don’t inform CISOs if the numbers are good news or bad news. If metrics don’t point to next steps such as changing processes, better configuration of products or identifying opportunities for automation, the path to action is unclear.
- Metrics often illustrate how tools are being used, not the results they yield and what those actually mean. Metrics based on tools are considered the low-hanging fruit of the security world—they’re easily available, but they don’t help solve problems.
- Often, organizations don’t address people, processes and technology—three key pillars necessary to construct a big-picture view of how a company’s security model is performing.
While these are metrics to avoid, there’s are different metrics that matter to leadership and are understandable to many more stakeholders—not just the security team. These metrics focus on the effectiveness of resources being deployed (i.e. the security program tools and people) as well as ensuring you have the proper visibility to mitigate risk.
3 Metrics to Gauge Cybersecurity Program Health