Leaders increasingly expect investments that are both financially sound and a significant boost for their enterprises’ risk profiles.
Unfortunately, many security teams either manage by instinct and don’t take the time to crunch the numbers, or they present management with a barrage of complicated measures that don’t show how their work leads to organizational success. Doing so misses one of the best ways to rally support for IT projects: security metrics.
A good metrics program doesn’t need to be a burden to an already beleaguered IT team. When planned and built around a concise set of measures, metrics lead to greater transparency, continuous progress, better executive-level visibility, increased organizational awareness of security, and more effective ways to prevent, detect and recover from breaches.
As you plan your metrics program, keep these strategies in mind.
1. Choose the Right Security Metrics
The first step is to ensure that you address senior leadership concerns: Are we defending government services, voter registration systems, credit card data, healthcare records and other sensitive information against a breach? Are we in compliance with regulations and standards, such as the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard and the National Institute of Standards and Technology’s Cybersecurity Framework?
Metrics that speak to those concerns include:
- Cost to detect and remediate a breach, or mean time to remediate
- Noncompliance issues found in audits
- Percentage of incidents associated with a critical asset
Pick just a few to get started, stay nonjudgmental and focus on those with the greatest potential impact to the organization.
2. Measure Public-Sector Productivity and Efficiency
In general, public-sector IT budgets for security are lower than in the private sector, and seasoned security expertise is increasingly scarce. So, it’s worthwhile figuring out which processes are most time-consuming, and which could reduce risk while making operations more effective and efficient. Examples include analyst workload or percent of time spent on administrative tasks; level of unplanned outages; frequency of policy breaches; and effectiveness of security awareness programs.
Avoid getting caught in analysis paralysis. Ensure metrics are SMART: specific, measurable, actionable, relevant and timely.
3. Establish Security Performance Benchmarks
Show how your department and organization’s current performance compares with past performance, and how you stack up against your peers. Reports from sources such as Gartner, Forrester or the Ponemon Institute can help establish benchmarks and set targets.
A quarterly schedule is reasonable when starting a program because it will take some work to create procedures, gather data, analyze it and come to conclusions.
Reports from security tools (such as privileged access management systems or anti-malware tools) and audit reports provide much of the data, but some information may need to be gathered by hand. Automate those efforts as quickly as possible. Reporting can split by department or team. If a specific group regularly fails security training, but the rest of the organization does not, a departmental breakdown can highlight corrective action that will improve the entire organization’s security stance.
4. Don't Just Report Results, Tell a Compelling Story
Communication can take the form of a written monthly report, a quarterly in-person presentation, or inclusion in quarterly operational or budget reviews. For each of the metrics, include a synopsis of the current situation; a comparison to benchmarks, peers or other departments; trends uncovered; and corrective action desired.
A simple report can be effective, but a PowerPoint presentation or a scorecard can convey the information in an easier-to-understand format. In-person presentations allow you to immediately clarify issues and better engage your audience, but they can be intimidating, especially if there is concern that the meeting will turn into a blame session. Realize that although early numbers might show a series of weaknesses, the act of reporting them and suggesting corrective action will, over time, improve security operations.
When meeting with other departments, highlight areas that directly impact them, such as compliance or out-of-policy endpoints. Try not to rehash past mistakes; instead, focus on the way forward with metrics to support your conclusions. For presentations to senior leadership, find the right balance between being overly technical and too generic, and tie metrics back to the organization’s goals.