4 Ways to Harness the Power of Security Metrics in the Public Sector

Ever-growing cyberthreats and shrinking budgets make it crucial for state and local government security departments to align with their organizations’ goals.

Leaders increasingly expect investments that are both financially sound and a significant boost for their enterprises’ risk profiles.

Unfortunately, many security teams either manage by instinct and don’t take the time to crunch the numbers, or they present management with a barrage of complicated measures that don’t show how their work leads to organizational success. Doing so misses one of the best ways to rally support for IT projects: security metrics.

A good metrics program doesn’t need to be a burden to an already beleaguered IT team. When planned and built around a concise set of measures, metrics lead to greater transparency, continuous progress, better executive-level visibility, increased organizational awareness of security, and more effective ways to prevent, detect and recover from breaches.

As you plan your metrics program, keep these strategies in mind.

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks

1. Choose the Right Security Metrics

The first step is to ensure that you address senior leadership concerns: Are we defending government services, voter registration systems, credit card data, healthcare records and other sensitive information against a breach? Are we in compliance with regulations and standards, such as the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard and the National Institute of Standards and Technology’s Cybersecurity Framework?

Metrics that speak to those concerns include:

• Cost to detect and remediate a breach, or mean time to remediate
• Noncompliance issues found in audits
• Percentage of incidents associated with a critical asset

Pick just a few to get started, stay n­onjudgmental and focus on those with the greatest potential impact to the organization.

2. Measure Public-Sector Productivity and Efficiency

In general, public-sector IT budgets for security are lower than in the private ­sector, and seasoned security expertise is increasingly scarce. So, it’s worthwhile figuring out which processes are most time-consuming, and which could reduce risk while making operations more effective and efficient. Examples include ­analyst workload or percent of time spent on administrative tasks; level of unplanned outages; frequency of policy breaches; and effectiveness of security awareness programs.

Avoid getting caught in analysis paralysis. Ensure metrics are SMART: specific, measurable, actionable, relevant and timely.

3. Establish Security Performance Benchmarks

Show how your department and organization’s current performance compares with past performance, and how you stack up against your peers. Reports from sources such as Gartner, Forrester or the Ponemon Institute can help establish benchmarks and set targets.

A quarterly schedule is reasonable when starting a program because it will take some work to create procedures, gather data, analyze it and come to conclusions.

Reports from security tools (such as privileged access management systems or anti-malware tools) and audit reports provide much of the data, but some information may need to be gathered by hand. Automate those efforts as quickly as possible. Reporting can split by department or team. If a specific group regularly fails security training, but the rest of the organization does not, a departmental breakdown can highlight corrective action that will improve the entire organization’s security stance.

4. Don't Just Report Results, Tell a Compelling Story

Communication can take the form of a written monthly report, a quarterly in-person presentation, or inclusion in quarterly operational or budget reviews. For each of the metrics, include a synopsis of the current situation; a comparison to benchmarks, peers or other departments; trends uncovered; and corrective action desired.

A simple report can be effective, but a PowerPoint presentation or a scorecard can convey the information in an easier-to-understand format. In-person presentations allow you to immediately clarify issues and better engage your audience, but they can be intimidating, especially if there is concern that the meeting will turn into a blame session. Realize that although early numbers might show a series of weaknesses, the act of reporting them and suggesting corrective action will, over time, improve security operations.

When meeting with other departments, highlight areas that directly impact them, such as compliance or ­out-of-policy endpoints. Try not to rehash past mistakes; instead, focus on the way forward with metrics to support your conclusions. For presentations to senior leadership, find the right balance between being overly technical and too generic, and tie metrics back to the organization’s goals.