Metrics are vital for security leaders to track the progress of security programs and have effective, risk-focused conversations with business and operations stakeholders.
As today's security functions are expected to plan and track business contributions to enable strategic alignment that win and retain customers, security metrics should help demonstrate to business leadership that the security program in place is effective and instrumental to operations. If business leaders ignore these metrics, it's time to alter reporting to make these figures more meaningful and demonstrate value to the overall business.
To ensure existing information security metrics align with the current technical landscape and threat environment, consider the following principles.
Review Metrics Categorization for Comprehensiveness
Examine the current functional categorization for comprehensiveness and framework alignment considering security and compliance requirements (e.g., PCI, HIPAA, FRB), in the light of current applicable regulatory, legislative, and industry best practices. Consider metrics concerning the chosen framework for security management.
Review Individual Metrics for Holistic Risk Representation
Review existing metrics for suitable attributes such as effectiveness, efficiency, coverage, compliance, timing, cost, and process maturity. This step would help the stakeholder understand the specific risk exposure and quantifiably measure each security metric. For meaningful insight, each metric should have an appropriate unit of measurement. Measurement can be qualitative, quantitative, or binary depending upon the kind of metric.
Review Security Metrics' Life Cycle
Review existing metrics for their continued relevance at least annually. In areas where metrics have been successful in driving maturity, recommendations should be made to modify metrics or enhance the thresholds. Determine whether metrics need to be modified based upon change in overall program maturity, changes in underlying technologies, threats, risks, and/or regulations.
Review Metrics for Context, Reliability, and Credibility
Use metrics to provide the necessary context, reliability, and credibility by looking into the availability of supporting data and explanatory notes where needed. Be sure to also clearly articulate the definition of the metric – your audience needs to understand what is being measured, its business impact, and the meaning of the metric. Don't just present data in isolation, leaving the audience to interpret the measure or what is the risk/exposure involved.
Review Action Orientation of Metrics
Interpret insights to help provide actionable recommendations, don't just rely on numbers. If the required actions are not made explicit, reporting will not serve its purpose. Be sure that metrics provide adequate information to help target audiences make relevant decisions.
Once you have the proper security metrics available, communication and presentation are vital from a security metrics reporting perspective. While enhancing existing security metrics use communication that informs stakeholders of key risks; provides assurance around risk and compliance; fortifies risk appetite discussions; makes the case for funding; and, overall, satisfies expectations for different functions to measure results.
Presentation of security metrics should be clear, concise and match the scope and needs of the audience. They may be presented to the board of directors, CEO, CISO, and CRO.
First, determine the appropriate level of detail based on role (function) and level. Content, formats, and presentation styles should be determined to communicate effectively depending upon the role (function) and level of the audience. For example, a presentation to the information security team (or equivalent) could be very detailed, with data taken from log files and focused on technical issues. A presentation for executives should focus on covering compliance activities, project successes, and key business risks.
Secondly, select the appropriate presentation format. Dependent upon the intended message and the level of detail of the presentation, one or more formats below should be selected for specific reporting requirements. Where the requirement is to convey a large volume of information in an easily understandable and clear format, a non-text-based method should be used. These allow rapid comprehension and provide a balanced, high-level view.
Use visual elements in dashboards to communicate your story and major points. Dashboards present a large amount of data quickly and concisely, while charts can present trends and forecasts. Traffic lights may be used to present the status of initiatives, compliance, and other elements supported by tables of data only where required.In summary, security metrics should provide context and motivation for information security efforts, boost the credibility and understanding of information security risks and efforts, create a clear call to action for risk remediation, provide compliance assurance, and consistently support decision-making and influence security strategy decisions. If used properly, they can create a more effective security strategy across organizations and industries.