How to measure the success of your cybersecurity program

Cybersecurity Metrics

Being asked to present to the board and other key stakeholders in your business about the state of your cybersecurity program can be a daunting prospect.

Putting aside the technical jargon can also be challenging for even the most seasoned security professional.

In a previous role as a CISO I sometimes struggled with this myself, as trying to articulate very technical operational statistics in clear and easy to understand business language is challenging!

So I've put together some simple metrics that hopefully any lay person should be able to understand and that will help you convey your message when you next have to present to the Board, monthly steering committee or to other senior stakeholders.

This is a journey and so don't be afraid to change things overtime or try out new ways of presenting statistics with the audience you are trying to convey your message to.

For your metrics to be valuable they should:

• First and foremost metrics should be business focussed in nature and relatable to senior executives or the board of directors
• They should be unambiguous and be able to stand on their own so that if you are not there to explain your audience can immediately comprehend them
• They should provide a holistic view focussing on people, process and technology to give a complete view of the organisations risk profile. Think security maturity here and benchmarks for your industry if available.
• Don't sensationalise your figures purely for effect.  There should be a story behind what you are telling and one that can be validated.
• Talk to the Risk Appetite of the business and use clear but brief commentary on current initiatives, measures to address issues that are outside of risk tolerance with key target dates for completion.
• If using a traffic light system then anything that is "red" should have an explanation to articulate the impacts, likelihood and existing compensating controls if you have any.

Here are some examples of metrics that I have used before:

1. Cybersecurity Program Initiatives - This should cover the overall status of the security program as a measurement of if it is tracking to plan and any road blocks.
2. Risk Appetite Status - This should provide a representation of whether the organisation is within risk tolerance levels or not. It will be a combination of both operational metrics and business focussed metrics that wrap up into a holistic view of overall risk appetite.
3. Security Awareness - % of employees that fallen victim to phishing simulation campaigns, % of repeat offenders, % of people who have completed training.
4. Governance, Risk and Compliance - This can be split out into two or more sections, whatever is appropriate for your organisation.  This should cover any overdue audit findings  (e.g. previous penetration or red team assessments, external audits etc). It should also address "Third party supplier risk", covering the % of supplier contracts that have undergone legal review and cybersecurity reviews.
5. Vulnerability Management - This is always a challenging one to convey and you should therefore try to avoid using technical numbers that won't mean anything to those not close to the operational aspects of the systems involved.  As an example you could borrow something from your risk tolerance playbook such as: "The % of internet facing systems that have defective controls or critical vulnerabilities".
6. Incident Management - This should talk to the effectiveness of incidents being resolved within a certain timeframe and number of high fidelity (critical) incidents that have been prevented.

If your audience is interested in digging deeper into the operational metrics keep these in your back pocket or as an appendix to your presentation.

Lastly these metrics should be presented in a way that resonates with the overall business objectives and risk tolerance. So try to make use of good visualisations, charts and infographics that enhance understanding and facilitate key decision making.

I hope you have found that useful and if you want to find out more or are struggling with metrics please get in touch!