SECURITY METRICS: ART OR SCIENCE?
Are security metrics an art or a science? To me, they are both. The science of security metrics is a comfortable place for many CISOs and technical-minded people. These types of metrics are fact-based levels of risk and performance-measuring results, yet often technically-driven without context to financial impact, keeping information security siloed from the business. The art of security metrics is utilizing information to gain mindshare with business people and shift thinking towards a unification of security and business process.
In this issue of Feats of Strength, we discuss the power of metrics and how CISOs and the businesses they serve harness this data. The goal is to understand which security metrics best translate to business in order to support the maturity goals being created by CISOs and CIOs.
We chose this topic because for many years, we have asked CISOs and other security leaders what types of metrics they share with their executives to move their information security programs up the value chain and more closely aligned with current and future business directions. When correlating the responses we get, our analyses have resulted in many one-off, unique answers. Some CISOs say that what they track, in terms of specific metrics such as KPIs or KRIs, is based on what they think is impressive or what they’re making progress on, not necessarily what boards or other executives want to hear.
The one significant commonality among CISO answers is that there’s a disconnect when it comes to what metrics CISOs track versus what metrics their businesses are most interested in. More importantly, security may not be in tune with all business lines and therefore not tracking key metrics that correlate to business transformations.
BUSINESS TRANSFORMATION AND METRICS
By and large today, businesses are transforming and experiencing a technology revolution where traditional processes are challenged, modernized, and better automated with great success. Almost every department within an organization now leans toward the future based on outsourced infrastructure, software, or people to accelerate their time to market. Things are now done significantly faster and easier than before.
With all this transformation taking place, how do CISOs and their information security programs keep pace to secure the future and justify the value they provide? Knowing this may better answer how to frame your security metrics.
K LOGIX: METRICS-DRIVEN BUSINESS
At the core of K logix, we are a metrics-driven business. We believe information security metrics may be leveraged as an avenue to maintain the same pace of transformation, innovation, and growth as the business. Metrics are the common language to bridge business and security. Metrics around alignment of the security program, technology, and people provide a cohesive picture into how well security is keeping pace and where adjustments need to be made.
Security program. CISOs are ensuring security is actively engaged and communicating within all business units to know where their program is against any changes taking place. This level of interaction enables security to extract important business information and fold it back into the security program. CISOs are then able to provide security program metrics around where they are against transformations and provide details about how the security program is changing and where vulnerabilities may be.
Security technology. The same metrics may be formed around technology to understand what technologies are not keeping pace against any business transformations or what can be brought in to accommodate the rate of change. Metrics may be used to understand how to consolidate, automate, and most importantly simplify.
Security people. CISOs are also able to re-tool and re-train their teams as it relates to where their organization currently is and where it is going. Teams are focusing on areas that make the most sense based on the specific transformations occurring within their businesses. Focused team members produce a more impactful security program that is strongly aligned with the business and moving at the same speed of transformation.
METRICS KEEP SECURITY AND BUSINESS ALIGNED
In conclusion, by approaching both the science and art of metrics together, security programs, technology, and people will keep pace with business transformation. This ensures security and the business are close together and moving at the same pace, and result in security gaining credibility, justification, and buy-in.
In this issue, you will read profiles on CISOs who share their approach to metrics. On page 8, John Masserini (CISO, Millicom Communications) shares specific operational and risk metrics he uses to effectively communicate with his business counterparts and board. We are always interested in hearing from our audience about the types of metrics they use and how they impact their program, people, and technology, so please feel free to share with us and help continue this important conversation.