November 17, 2015 By Brett Valentine 3 min read

Mapping Business Drivers to Program Metrics

You wouldn’t measure the value of a house by the cubic footage of volume — you could, but it wouldn’t tell you much about what we value in a house. Similarly, you can’t measure the success of a security program with typical IT metrics like service level agreements (SLAs) and number of transactions, at least not in isolation.

There is a basic three-step process to identify the measures. I have taken a number of clients through this process. It’s never easy, but it is repeatable.

First, prioritize the business drivers for security. These are typically simple phrases like operational efficiency, increased security, reduced risk, enabling business growth, etc.

Second, gain agreement on the program objectives for each of the business drivers. For example, I often hear statements like, “Protect the organization’s reputation and customer’s confidence by protecting confidential and personal data.” This is often an objective for the reduced risk business driver.

Finally, select two to four tangible measurements of each objective. These are your program metrics. We frequently see the same measurement occur for multiple program objectives and across multiple security programs.

Selecting Thresholds

So after hours of collaboration, with input from your team and external experts, you have your list of program metrics. Excellent — but you’re not done. You need to know what the thresholds are to initiate a reaction. Color-based statuses such as red, yellow and green are one way of reporting. But I like another option:

This model is an acknowledgment that security is dynamic; the work is never done. As security practitioners, we should be gaining maturity with every reporting cycle. The objective of a security program should always be to improve maturity at a rate equal to the threats and the business complexity.

Each of these reporting levels needs a corresponding objective measure — a numeric threshold. Each should be clearly defined for the program metrics. For example, an identity governance solution may be maturing if two or more applications were integrated, or declining if more than one access certification cycle was missed. Make this clear to your reporting audience and you will gain both credibility and engagement.

Determining Frequency

By providing this transparency to program stakeholders, it’s possible to build awareness, increase engagement and, most importantly, solicit help. Most IT services are reported on a monthly basis. Reporting can be a significant time burden and stakeholders may not need frequent updates. Finding the right balance between efficiency and frequency takes time.

My typical recommendation is to report on program-level metrics monthly. But your audience may want your team to follow the cadence of other IT groups.

We Missed Achieving a Metric — So What?

Security is a board-level topic in every company. Multiple regulatory requirements, including GLBA and SOX, require strong security and controls. If you miss a metric — and I can almost guarantee every security program will miss achieving one of their metrics over the course of a year — it will get visibility. Is that a bad thing? Maybe not.

Organization leadership most often wants to know what the downstream impacts are and the causes of missing that metric. If your security programs have mapped program metrics to business drivers, and they have a strong program management structure in place, the program leader and CISO will easily answer these questions.

Having seen this cycle occur many times with my clients, and having observed their reactions as they view these situations in hindsight, they typically find this is a healthy cycle that can increase the maturity of the security organization.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today