Lots of folks ask me about security metrics.
“Help me with security metrics!”
“I need security metrics!”
My response? “Well, what are you trying to track? What are you trying to achieve? What story do you want to tell?”
There are really two types of metrics you want to track. The first type is operational security metrics. This is what you need to manage your department or team. I’m not sure folks care too much about this outside of security. However, you need operational security metrics to maximize efficiency and effectiveness of the security department.
The second type is board-level metrics. This is what you need to present to validate the existence of the security department in your company.
Once upon a time I was a CISO. I’ll probably never go back, but that’s a story for a different day. In my CISO days, folks were so wrapped around the axle on metrics, but at the end of the day, I don’t think they cared that much about security. They just wanted numbers to look at. My management and board didn’t care about mean time to detect (MTTD) or mean time to recover (MTTR). They didn’t care about the frequency of vendor reviews or number of users with “super user” access. They didn’t care about normal security metrics. Even I thought preparing metrics was boring, and I do security full-time. Honestly, writing “time to detect” makes me yawn.
What my board cared about – and what I’ve seen hundreds of boards care about – is stories and other stuff that helps them look good. Why the heck should they care about how many users have “super user” access or the number of open ports? What the board cares about is how your security program is making the business stronger and helping them achieve their business goals. As a side note, executives get paid and incentivized on their ability to deliver the business. If you can prove your security program is allowing them to innovate and deliver their project faster with less money, they’ll pay attention.
If you’re a CISO or security leader, you must fundamentally understand the strategic goals and objectives of your company. I’d say 80% of CISOs I meet with can’t answer this or don’t know – by the way, I talk to a lot of CISOs. Now, if you’re in the 80% that doesn’t know the annual strategic goals of your company, stop reading this. Go figure out the goals of your CIO and CEO and then come back. Keep in mind you’re supposed to be a business executive helping your business meet their goals. If you’re the business prevention police, your days are numbered.
Let’s say you do know what your business does. Now you must be creative and come up with security goals to support your business and then develop supporting metrics. Here are some examples:
- GOAL: Push out an application to the edge that will revolutionize how your customers interact with your company.
- Metric: SAML connections and total authentication time saved by number of connections.
- Value: Proves value of authentication solution by time saved on login and a better end user experience.
- GOAL: Combat and prevent fraud (e.g., bot networks).
- Metric: Goods or dollars saved by implementation of fraud prevention solution.
- Value: Executives love this one. It directly shows cash savings on the profit and loss statement.
- GOAL: Achieve cost savings.
- Metric: Security budget as a percentage of IT spend. The industry average is 5% so reducing this number can support your business goals.
- Value: Shows you have your stuff together, are familiar with the company financials, and that you’re doing your part.
There’s a ton of metrics you can put in place to prove you’re supporting your business. The truth is executives love stories. If you can tie metrics into an actual story (e.g., a story about you dropped bot traffic to save money), you’ll get the attention of the executives or the board. If I’m being honest, security metrics are boring, but even I like stories.
Bottom line? Metrics are good. Stories are better. Another big question I’m asked regularly is how do I get more money for my projects? What I’ve seen work well is to illustrate the negative. In a graphical form, show where you can’t invest and what capabilities you can’t develop because you don’t have dollars.
Here’s an example. There are 17 functional areas of security:
- Internal Compliance (i.e., the framework you adhere to internally, e.g., ISO, NIST, etc.)
- External Compliance (i.e., the framework others hold you to, e.g., laws and regulations, etc.)
- Data Privacy
- IT Security Policy
- Third Party Security Management
- Security Risk Management
- Information Security Asset Management
- Security Awareness
- Security Architecture
- Application Security
- Security Integration (i.e., how well you can integrate security technology into your environment – this is overlooked 95% of the time)
- Security Implementation (i.e., how well you can implement solutions to meet use cases)
- Security Testing
- Security Technology Management (i.e., how well you maintain your security technology hygiene)
- Investigations and Incident Response
- Security Incident and Event Management (i.e., security monitoring)
- Identity and Access Management
Build these into a one-page grid layout. Shade green the functional areas that are funded with budget; shade red or gray the un-funded functional areas. The question that gets asked 100% of the time is, “Why are those ‘cells’ or ‘functions’ red (or gray)? As the CISO, you’ll be able to answer, “Well, those are all the things we can’t do because we don’t have resources.” Often, the executive team or board will still want coverage on these un-funded areas. Since they now know you’re not covering these functions, it becomes a natural step into the budget conversation.
Metrics are tough. What works for one company likely won’t work another. The executives and board members are different. They’re compensated differently and have different objectives. Most of the time they’re not technical, and what resonates is stories and plain business speak.
If you need help with organizational security metrics, contact us to speak with an expert! We’ve got you covered.
Included Topics
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.