Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 Security Metrics Categories CISOs Should Present to the Board
Boards of directors don't care about a security program's minute technical details. They want to see how key performance indicators are tracked and used.
February 14, 2024
With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up breach disclosure to investors, cyber reporting and metrics have become an even bigger priority for companies this year.
Boards are turning the screws to their security and risk executives to bring a lot more rigor to how they track key performance indicators (KPIs) and key risk indicators (KRIs) — and how they use these metrics to advise and report to the board. Fundamental to both KPIs and KRIs are security operational metrics that track the scope of assets, cybersecurity activities around those assets, and measured security outcomes.
"Security teams use operational metrics to track and report on cybersecurity activities and outcomes," explains The Cyber Savvy Boardroom, a recent primer published by a pair of longtime cyber-risk leaders to help directors and executive leaders wrap their arms around cyber issues. "When shared with the board of directors’ risk or audit committees, these key performance indicators illuminate the organization’s cybersecurity capabilities and the efficiency of cyber controls while also helping the board of directors evaluate the adequacy of investments in technology and talent."
Co-authored by Homaira Akbari, CEO of global advisory firm AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netskope, the book covers a lot of ground, but some of the most vital parts of the primer focus on metrics. Dark Reading summarizes and excerpts from the tome here to present the most common metrics that Akbari and Naidoo believe to be crucial for CISOs to track and share with the board in order to report on risk levels and security performance.
The caveat, of course, is that security leaders need to be able to roll up these metrics into assessments and dashboards that are easy to digest. As explained in the primer, the metrics detailed in each category create a data-backed model for determining the efficacy of an organization's program and identifying gaps in protection.
"The conclusions of these assessments should be summarized in several overall ratings and included in the company’s cybersecurity dashboard," Akbari and Naidoo explain.
Data
These metrics should scope risk around data assets and track performance in key protection measures for data security, resilience, and continuity. Some of the metrics Akbari and Naidoo advise CISOs to track in this category include:
% data centralized
% data encrypted
Backup frequency
Speed of data recovery
% employee/customer/user info on Dark Web
Depth of data-lake segmentation
Financial Assets
Financial asset risks and losses are included in this grouping of metrics, which should give a measured feel for financial consequences from recent breaches. Some metrics the authors suggest tracking (based on past quarters or over the past year) include:
Value of actual money/crypto lost directly
Value of money or productivity losses in form of ransomware
Volume of financial data leaked (accounts, credit cards, loyalty points, online banking credentials)
While not specifically listed, data on financial losses from business email compromise (BEC) and indirect breach response costs would also be valuable to track.
People
Whether it is falling prey to phishing or BEC attacks — exposing data by not following policy or exposing systems in other ways — people are usually an enterprise's biggest vulnerability. While it may be hard to measure the efficacy of security awareness training, there are some good proxies to get a general sense of how well an organization's people are adhering to security best practices and policies. The authors suggest the following metrics in this category:
% phishing email click-through
% suspicious email reported
Passwords hacked
Privileged accounts to total accounts
% employees moving data/files out of the enterprise
Other metrics not directly mentioned but are still relevant include the results from phishing simulations, knowledge assessment scores, and behavioral or account data about high-risk individuals.
Suppliers
With third-party risk management and the digital supply chain security on the forefront of many executives' minds in the wake of events like SolarWinds, boards will want to be informed of supplier-related security operations risks and performance levels. Akbari and Naidoo believe CISOs would do well to keep the business attuned to trending data and metrics around:
Self-certification of cybersecurity posture of third parties
External scoring against peers and industry
Continuous monitoring of posture of third and fourth parties
External audit compliance
Penetration testing scores (from suppliers)
Data about suppliers will likely have a lot of overlap with metrics about enterprise applications (see below), as application security teams start to look at software supply chain risk, including risky dependencies from third-party code and components.
Infrastructure
Whether on-premises or in the cloud, IT infrastructure exposures and security capabilities in mitigating risks across the network and hardware assets should be appropriately monitored and measured. Some operational data that the authors suggest in this category include metrics around:
Number of servers/hardware approaching end of life
Secure configurations of all assets
Depth of network/ infrastructure segmentation
Level of automation of inventory and control of hardware assets
Vulnerability scanning
Depth of zero-trust architecture deployment: identity, device, access, services
User-Controlled Devices
CISOs should be able to give board members a feel for the level of control their organizations have over shadow IT and other user-controlled devices operating on the network. Akbari and Naidoo say the following common metrics should be on the radar:
Number of unidentified devices on the network
Number of devices with unpatched software
Rate of false positives
Number of threats detected and prevented by the endpoint solution
New Technologies: IoT
The scope and scale of Internet of Things (IoT) devices has opened up significant risk to enterprises over the course of the past decade. The authors suggest that CISOs provide some risk metrics around these, including:
Number of non-upgradable or patchable IoT devices
Number of IoT ports connecting to enterprise networks
Depth of loT segmentation from enterprise resources
While the focus is currently on IoT, the same approach could work for all emerging technology. AI, for example, could include metrics around AI use and — with some emerging AI security tooling — risk exposure levels from AI use in the organization.
Enterprise Applications
Whether it is from commercial software or applications developed in-house, applications present some of the biggest attack surfaces in the enterprise today. Akbari and Naidoo offer a couple of common metrics boards should be apprised of:
Known open software vulnerabilities
Software patches outstanding
Number of zero-day software vulnerabilities
There is no shortage of additional application security data and metrics that can help track performance and risk levels across application portfolios. Consider including data such as rate of automated versus manual code review, time to fix critical vulnerabilities, open rate of critical vulnerabilities, and metrics that add context about exploitability or business value of assets with known critical flaws.
Testing Security Posture
Security validation and testing is an important part of a security program, so CISOs should be beholden to track not only the results from security tests, but also the rate at which they conduct testing. Some metrics that fall into this category, according to Akbari and Naidoo, are:
Penetration(red, blue) testing
Independent external security ratings versus peers and the industry
Internal/external auditor report on regulatory and cyber compliance
Application and other testing scores and discoveries
Incident Detection and Response
Boards of directors will be very interested in a security team's ability to detect and respond to incidents. Akbari and Naidoo recommend some of the following common ops metrics to track this:
• Volumes and % of actual incidents versus intrusion attempts
• Mean time to detect
• Mean time to contain
• Mean time to remediate/resolve
• Red team scores and discoveries
Additionally, CISOs may benefit from offering metrics and results from tabletop exercises and attack simulations if these are activities they engage in.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024