Using security metrics to achieve cyber resilience (Part Two in the series)

29 Sep 2023

In the first of this two-part series (you can read part one here), we considered emerging channels for cyber attacks, the importance of cyber resilience, and how taking a risk-based approach to cybersecurity gives you an edge over cybercriminals.

In this second part of the series, we look at:

  • Cybersecurity metrics
  • Emerging methodologies
  • The evolving role of IT security leadership

(Cyber) security metrics matter
Cybersecurity threats are always evolving. Fortunately, so are the processes and technology used to address and measure them. To understand how your security functions over time, you need to track cybersecurity metrics. These metrics can also demonstrate if your sensitive information is being protected and can communicate how well you are aligned with and supporting the business, its mission and goals.

Putting these metrics in place makes it possible to regularly evaluate the effectiveness of the safety measures in which you have invested. Measurement also helps to demonstrate to the business how cybersecurity efforts are saving the organization money by preventing and/or containing costly cyberattacks. And, in some industries, measurement reporting is a fiduciary or regulatory duty - having a clear process in place saves time, money, and reduces anxiety for those whose job it is to protect your data and systems.

Which cybersecurity metrics should you choose?
There is no single rule for choosing how to track or measure cybersecurity. Every company quantifies and assesses risk in its own way based on situational variables, such as: 

  • Required protocols and certifications
  • Company culture
  • Industry
  • Business model
  • Global region
  • Budget variances
  • Individual personalities 

The risk-based approach to cybersecurity is customizable and enables you to tailor cybersecurity programs to specific requirements and operational vulnerabilities that are unique to your needs.

Examples of useful metrics to track include:

  • Vulnerability management – how many devices on your network are fully patched?
  • Unidentified devices on internal networks – are employees unknowingly introducing malware?
  • Security incidents – simply tracking numbers doesn’t add much value; however, trending over time can provide insights to your program’s effectiveness and areas that may need more attention. Significant or unique events should communicated, as well.  
  • Time to detect, resolve and contain – how long does it take to complete each critical phase?

From a business perspective, also consider communicating:

  • How many deals you helped close or enabled.
  • Ongoing or completed projects that enabled/supported key business initiatives.

Another related benefit to the risk-based approach involves how it separately measures both the risk reduction efforts you have made and the actual reduction in risk. Traditional practices measure collective effectiveness based on program completion. Although a single metric, measuring this way doesn't tell the entire story of your effort – or your risk.

Too often, we make decisions based on conflicting metrics. By clearly linking efforts or action taken to actual risk reduction, we can make business decisions that weigh impact more effectively. This provides the flexibility to adjust for risk reduction at any level, wherever risk exists.

Regardless of the metric, it has to be meaningful to the person or group to whom its being presented. Additionally, you should consider that you may have different tiers of metrics depending on the audience. More technical detailed metrics may be needed for some audiences and, in other cases, higher level summary metrics may be appropriate.

A risk-based approach helps to make business decisions that weigh impact more effectively by clearly linking inputs and outputs.

Using emerging methodologies to provide structure

Decisions about how best to reduce cyber risk can be controversial and often vary based on your unique needs and priorities. In some cases, you can use a formal methodology that provides an in-depth and customizable process for assessing risk for a particular business situation. Such methodologies measure and manage cyber risks using best practices that focus on innovation and education.

One such example is Factor Analysis of Information Risk ([FAIRTM](https://www.fairinstitute.org/)), an open standard quantitative risk analysis model that describes what risk is, how it works and how to quantify it. The methodology provides the means to determine how much risk you have; how much risk specific factors represent; how much more or less risk you will have as specific factors change; and what the most cost-effective options are for managing it.

FAIR can be used anywhere you need to know how much risk exists. For example, for audit findings, policy exception requests, comparing risk issues (i.e. does option a or option b represent more risk to our organization?), augmenting cyber insurance coverage, building business cases for new security measures, or for defending security expenditures.

Other structured methodologies are often used independently of or in conjunction with methods like FAIR to complement or supplement a risk management approach.

For example, compliance-first and checklist approaches systematically address cybersecurity based on a list of known security requirements. These approaches lend themselves well to benchmarking, particularly for goal setting and evaluating. They do this by identifying gaps in controls and comparing against other organizations, or by evaluating the quality of processes, goal setting, and progress evaluation. However, keep in mind, not all methodologies are useful for understanding the tangible impact of risk or the various nuances associated with it.

The evolving role of IT security leadership

Today a company’s most senior security resource is commonly involved in both quarterly and annual planning, inputs and results. Conversely, the organization's full executive leadership team is aware of cyber threats and vulnerabilities and invested in the decision-making, buying processes and prevention plans that inform its entire cybersecurity ecosystem—not just the CIO or CSO.

While having more stakeholders in the mix may sound counterintuitive to agility and efficiency, you'll realize many benefits to having the full team’s involvement. It provides alignment among departments and team members all driving toward the same goal—reducing risk.

This trend will continue as security planning continues to move from the back office to the front and security leaders become trusted advisors and partners to the business. 

Action to take for cyber security success

If an approach to cybersecurity is informed by fear, uncertainty and doubt, its runway for success will be short; stakeholders will lose their patience; and faith and trust will be lost. To stay vigilant, you must:

  • know and address existing and emerging channels for cyberattack;
  • familiarize yourself with security metrics and determine which ones are most meaningful to you; 
  • employ a risk-based approach to address the most high-risk vulnerabilities; 
  • educate your whole company about cybersecurity; 
  • and give IT security a seat at the table. 

To tackle the most impactful risks to your business, you must move beyond compliance and prioritize your highest threats. This comprehensive approach offers the greatest cyber resilience and ultimately, it will pay big dividends.

Using security metrics to achieve cyber resilience

Source:  RICOH USA