Mapping Business Drivers to Program Metrics

You wouldn’t measure the value of a house by the cubic footage of volume — you could, but it wouldn’t tell you much about what we value in a house. Similarly, you can’t measure the success of a security program with typical IT metrics like service level agreements (SLAs) and number of transactions, at least not in isolation.

There is a basic three-step process to identify the measures. I have taken a number of clients through this process. It’s never easy, but it is repeatable.

First, prioritize the business drivers for security. These are typically simple phrases like operational efficiency, increased security, reduced risk, enabling business growth, etc.

Second, gain agreement on the program objectives for each of the business drivers. For example, I often hear statements like, “Protect the organization’s reputation and customer’s confidence by protecting confidential and personal data.” This is often an objective for the reduced risk business driver.

Finally, select two to four tangible measurements of each objective. These are your program metrics. We frequently see the same measurement occur for multiple program objectives and across multiple security programs.

Selecting Thresholds

So after hours of collaboration, with input from your team and external experts, you have your list of program metrics. Excellent — but you’re not done. You need to know what the thresholds are to initiate a reaction. Color-based statuses such as red, yellow and green are one way of reporting. But I like another option:

This model is an acknowledgment that security is dynamic; the work is never done. As security practitioners, we should be gaining maturity with every reporting cycle. The objective of a security program should always be to improve maturity at a rate equal to the threats and the business complexity.

Each of these reporting levels needs a corresponding objective measure — a numeric threshold. Each should be clearly defined for the program metrics. For example, an identity governance solution may be maturing if two or more applications were integrated, or declining if more than one access certification cycle was missed. Make this clear to your reporting audience and you will gain both credibility and engagement.

Determining Frequency

By providing this transparency to program stakeholders, it’s possible to build awareness, increase engagement and, most importantly, solicit help. Most IT services are reported on a monthly basis. Reporting can be a significant time burden and stakeholders may not need frequent updates. Finding the right balance between efficiency and frequency takes time.

My typical recommendation is to report on program-level metrics monthly. But your audience may want your team to follow the cadence of other IT groups.

We Missed Achieving a Metric — So What?

Security is a board-level topic in every company. Multiple regulatory requirements, including GLBA and SOX, require strong security and controls. If you miss a metric — and I can almost guarantee every security program will miss achieving one of their metrics over the course of a year — it will get visibility. Is that a bad thing? Maybe not.

Organization leadership most often wants to know what the downstream impacts are and the causes of missing that metric. If your security programs have mapped program metrics to business drivers, and they have a strong program management structure in place, the program leader and CISO will easily answer these questions.

Having seen this cycle occur many times with my clients, and having observed their reactions as they view these situations in hindsight, they typically find this is a healthy cycle that can increase the maturity of the security organization.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read