Just about every chief information security officer (CISO) has a common objective when it comes to making a case for security: proving a return on investment (ROI) and obtaining the budget needed to provide the best defense in the future. If the case is for security ROI, it must rely on metrics.
“You can’t own a problem if you don’t measure it,” Jason Christopher, chief technology officer (CTO) at cyber risk optimization firm Axio Global, Inc., wrote in a post for Forbes. “If you’re not measuring it, then there’s no way to address it.”
What Security Metrics Should CISOs Present to Business Leaders?
So how can CISOs measure the effectiveness of security efforts to help them demonstrate the need for greater cybersecurity investment in budget discussions with financial decision-makers?
When presenting to company executives, it’s important to keep in mind that they’re primarily interested in how security investments support the business’ mission and priorities. If you can demonstrate how patching and other defense efforts keep mission-critical applications up and running, this will go a long way toward making the case for future budgetary dollars.
According to Chris Clymer, security director at MRK Technologies, as quoted in a blog post for MIS Training Institute, “the board doesn’t care how many patches you’ve applied or the number of firewall rules you’ve processed.” However, if you can demonstrate how security investments have helped reduce the likelihood of a breach or identify risks that could affect mergers and acquisitions, executives will recognize the value of security.
Listen to the podcast: If You Can’t Measure It, You Can’t Manage It
Let’s take a look at some other security metrics that can help CISOs make a strong business case for additional investment in cybersecurity.
Cost of Detection
When presenting metrics to company leadership, CISOs should aim to explain cybersecurity impacts and outcomes as clearly as possible. According to Greg Kushto, director of security and enterprise networking at IT management firm Force 3, security leaders can demonstrate how much the IT team works on security and risk mitigation by presenting figures that reveal how much of the total IT budget is spent on cybersecurity.
“By providing an estimated cost for detecting singular events, CSOs can own a measure of efficiency, demonstrating the correlation between security spend and overall cost of detection,” Kushto wrote in an article for CSO Online.
Time to Detect and Remediate
In addition to the cost of detection, security leaders must also consider the time frame. Time to detect is a crucial metric for conveying security’s success rate to corporate leadership, but the details and measurements may vary from company to company and industry to industry. Take figures from the Ponemon Institute’s most recent “Cost of a Data Breach Study,” for instance, which found that U.S. companies took an average of 201 days to detect a data breach.
Also important is time to remediate, which is how long it takes for a security team to resolve a vulnerability or security incident. By keeping a log that tracks how much time it takes to resolve incidents, security leaders can give financial decision-makers a better idea of both the manpower and cost involved.
Cost of Downtime
While the goal is to use these metrics to demonstrate success by boasting a short window of time between detection and remediation, any downtime experienced while resolving a vulnerability or security incident has financial implications. Executive leadership needs security managers to measure and report back on productivity losses, negative impacts to sales and revenue misses that result from downtime during remediation.
“If sales were lost, consider cross referencing the volume of sales from your historical data to see how much your revenue was impacted,” suggested Venkatesh Sumar, chief marketing officer of Indusface. “Or you could measure how many leads or how much traffic you would normally get on a similar day and compare it to the results during an incident with downtime.”
In the Forbes article, Christopher illustrated a scenario in which a company loses its data center as the result of an incident. While the obvious metrics would be recovery costs associated with the hardware and software, he noted that it actually costs much more than that.
“That number doesn’t take into account lost revenue as a result of not having the data center, let alone potential legal fees, regulatory fines and other operational impacts,” he wrote.
CISOs who invest in a security awareness training program should prepare numbers that demonstrate its effectiveness and the level of participation from employees. The Security Awareness Company recommended two categories of metrics: deployment, which refers to the participation and initial engagement among employees, and impact, which measures how behavior changes among employees after taking part in security awareness training. For example, after training, did you observe a decrease in the number of employees who fell for a phishing email during your recent simulation?
Why Metrics Matter
For those in leadership positions, compliance, regulatory frameworks and industry standards are top of mind. While the common refrain that compliance doesn’t equal security is more true than ever, metrics that show where you are in your compliance and cyber awareness journeys can lead to further budgetary investments in security.
Measuring security and risk is not a simple task, and the most relevant metrics will vary from organization to organization. But the ability to quantify the impact of a cyberattack on business, coupled with the results of your strategy, can help CISOs make the case for ROI in security.