Security Metrics for the CISO | NuHarbor SecurityBy: Justin Fimlaid

A lot of folks ask me about security metrics.  “Help me with security metrics!” “I need security metrics!”  My response, “Well, what are you trying to track?”  “What are you trying to achieve with the security metrics?” “What story do you want to tell?”

There’s really two types of metrics you want to track, the first type is operational security metrics.  This is the type of metric you need to manage your department or team.  I’m not sure folks care too much about this type of metric outside of security.  However, you need operational security metrics to maximize efficiency and effectiveness of the security department.

There’s the other type of security metric, Board-level metrics.  Board-level metrics are the metrics that you need to present to validate the existence of the security department in your company.  This article is about these type of metrics.

There was a point in time when I was a CISO, I’ll probably never go back but that’s a story for a different day.  In my CISO days folks were so wrapped around the axle on metrics, but at the end of the day I don’t think they cared that much about security rather they just wanted numbers to look at. My management and Board didn’t care about time-to-detect or time-to-recover. They didn’t care about the frequency of vendor reviews or number of users with “super user” access.  They didn’t care normal security metrics and I thought preparing metrics was boring…and I do security full-time. And honestly, writing “time-to-detect” makes me yawn just to write that.

What my Board cared about then, and I’ve seen hundreds of boards care about now, is stories and “stuff” that helps them look good.  Why the heck should they care about how many users with “super user” access? Or number of open ports? (By the way, they don’t care).  What they, the Board, care about is how your security program is making the business stronger and is helping them achieve their business goals.  As a side note, business executives get paid and incentivized on their ability to deliver the business.  If you can prove your security program is allowing them to innovate, deliver THEIR project faster with less money then they’ll pay attention.  If you’re a CISO or security leader reading this then you fundamentally need to understand the strategic goals and objectives of your company.  I will say 80% of CISOs I meet with can’t answer this or don’t know.  And, by the way, I talk to a lot of CISOs during my work week.  Now, if you’re in the 80% that doesn’t know the annual strategic goals of your company, stop reading this. Go figure out the goals of your CIO and CEO and then come back.  Keep in mind you are supposed to be a business executive helping your business meet their goals–if you are the business prevention police then your days are numbered.

So let’s say you do know what your business does.  Now you have to be creative and come up with the security goals to support your business and then develop the supporting metrics.  Here’s some samples:

  • Pushing out an application to the edge that will revolutionize how your customers interact with your company?
    • Metric: SAML connections and total authentication time saved by number of connections. (Value: proves value of authentication solution by time saved on login and a better end user experience)
  • Is the company brand struggling with Fraud (maybe bot networks)?
    • Metric: Goods or dollars saved by implementation of fraud prevention solution.  (Value: Executives love this one. It directly shows you saving cash on the profit and loss statement. if you are ever in Boston I’ll tell you a story about binary decisioning models over a pint.)
  • Is your company looking to save cash?
    • Metric: Security budget as a % of IT spend, industry average is 5% so reducing this number can support your business goals. (Value: Shows you have your stuff together, you’re familiar with the company financials and how you’re doing your part.)

There’s a ton of metrics you can put in place to prove you are supporting your business.  The truth is executives LOVE stories.  If your metrics can tie to actual story (e.g. a story about you dropped bot traffic to save money), you’ll get the attention of the Executives or the Board.  If I’m being honest, security metrics are boring but even I like stories.

Metrics are good.  Stories are better. The big question I get often is how do I get more money for my projects?  What I’ve seen work really well is to show the negative.  What I mean by that is in graphical form show where you can’t invest and capabilities you can’t develop because you don’t have dollars.  Here’s an example, there’s 17 functional areas of security:

  1. Internal Compliance (the framework you adhere to internally ISO, NIST, etc)
  2. External Compliance (the framework others hold you to, laws and regulations, etc)
  3. Data Privacy
  4. IT Security Policy
  5. Third Party Security Management
  6. Security Risk Management
  7. Information Security Asset Management
  8. Security Awareness
  9. Security Architecture
  10. Application Security
  11. Security Integration (This is how well you can integrate security technology into your environment, this is 95% of the time overlooked)
  12. Security Implementation (this is how well you can implement solutions to meet use cases)
  13. Security Testing
  14. Security Technology Management (How well you maintain the hygiene of your security technology)
  15. Investigations and Incident Response
  16. Security Incident and Event Management (monitoring)
  17. Identity and Access Management

Put these all on a one-page grid in a graphical layout. Areas that are funded with budget color that one green, and un-funded functional areas mark as grey or red.  The question that gets asked 100% of the time – “why are those ‘cells’ or ‘functions’ red (or grey)?  CISO – “Well, those are all the things we can’t do because we don’t have resources.”  A lot of the time, the Executive team or Board will still want coverage on these un-funded areas. Since they now know you’re not covering these functions and it’s a natural step into the budget conversation.

Metrics are tough.  What works for that company likely won’t work for this company.  The Executives and Board members are different, they are compensated differently, they have different objectives.  A high majority of the time they are not technical and the thing that resonates is stories and plain business talk.

If you need help with security metrics for your organization contact us for additional ideas.