August 17, 2018 By Joan Goodchild 4 min read

Just about every chief information security officer (CISO) has a common objective when it comes to making a case for security: proving a return on investment (ROI) and obtaining the budget needed to provide the best defense in the future. If the case is for security ROI, it must rely on metrics.

“You can’t own a problem if you don’t measure it,” Jason Christopher, chief technology officer (CTO) at cyber risk optimization firm Axio Global, Inc., wrote in a post for Forbes. “If you’re not measuring it, then there’s no way to address it.”

What Security Metrics Should CISOs Present to Business Leaders?

So how can CISOs measure the effectiveness of security efforts to help them demonstrate the need for greater cybersecurity investment in budget discussions with financial decision-makers?

When presenting to company executives, it’s important to keep in mind that they’re primarily interested in how security investments support the business’ mission and priorities. If you can demonstrate how patching and other defense efforts keep mission-critical applications up and running, this will go a long way toward making the case for future budgetary dollars.

According to Chris Clymer, security director at MRK Technologies, as quoted in a blog post for MIS Training Institute, “the board doesn’t care how many patches you’ve applied or the number of firewall rules you’ve processed.” However, if you can demonstrate how security investments have helped reduce the likelihood of a breach or identify risks that could affect mergers and acquisitions, executives will recognize the value of security.

Listen to the podcast: If You Can’t Measure It, You Can’t Manage It

Let’s take a look at some other security metrics that can help CISOs make a strong business case for additional investment in cybersecurity.

Cost of Detection

When presenting metrics to company leadership, CISOs should aim to explain cybersecurity impacts and outcomes as clearly as possible. According to Greg Kushto, director of security and enterprise networking at IT management firm Force 3, security leaders can demonstrate how much the IT team works on security and risk mitigation by presenting figures that reveal how much of the total IT budget is spent on cybersecurity.

“By providing an estimated cost for detecting singular events, CSOs can own a measure of efficiency, demonstrating the correlation between security spend and overall cost of detection,” Kushto wrote in an article for CSO Online.

Time to Detect and Remediate

In addition to the cost of detection, security leaders must also consider the time frame. Time to detect is a crucial metric for conveying security’s success rate to corporate leadership, but the details and measurements may vary from company to company and industry to industry. Take figures from the Ponemon Institute’s most recent “Cost of a Data Breach Study,” for instance, which found that U.S. companies took an average of 201 days to detect a data breach.

Also important is time to remediate, which is how long it takes for a security team to resolve a vulnerability or security incident. By keeping a log that tracks how much time it takes to resolve incidents, security leaders can give financial decision-makers a better idea of both the manpower and cost involved.

Cost of Downtime

While the goal is to use these metrics to demonstrate success by boasting a short window of time between detection and remediation, any downtime experienced while resolving a vulnerability or security incident has financial implications. Executive leadership needs security managers to measure and report back on productivity losses, negative impacts to sales and revenue misses that result from downtime during remediation.

“If sales were lost, consider cross referencing the volume of sales from your historical data to see how much your revenue was impacted,” suggested Venkatesh Sumar, chief marketing officer of Indusface. “Or you could measure how many leads or how much traffic you would normally get on a similar day and compare it to the results during an incident with downtime.”

In the Forbes article, Christopher illustrated a scenario in which a company loses its data center as the result of an incident. While the obvious metrics would be recovery costs associated with the hardware and software, he noted that it actually costs much more than that.

“That number doesn’t take into account lost revenue as a result of not having the data center, let alone potential legal fees, regulatory fines and other operational impacts,” he wrote.

Awareness Results

CISOs who invest in a security awareness training program should prepare numbers that demonstrate its effectiveness and the level of participation from employees. The Security Awareness Company recommended two categories of metrics: deployment, which refers to the participation and initial engagement among employees, and impact, which measures how behavior changes among employees after taking part in security awareness training. For example, after training, did you observe a decrease in the number of employees who fell for a phishing email during your recent simulation?

Why Metrics Matter

For those in leadership positions, compliance, regulatory frameworks and industry standards are top of mind. While the common refrain that compliance doesn’t equal security is more true than ever, metrics that show where you are in your compliance and cyber awareness journeys can lead to further budgetary investments in security.

Measuring security and risk is not a simple task, and the most relevant metrics will vary from organization to organization. But the ability to quantify the impact of a cyberattack on business, coupled with the results of your strategy, can help CISOs make the case for ROI in security.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today