10 Security Metrics Categories CISOs Should Present to the Board

With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up breach disclosure to investors, cyber reporting and metrics have become an even bigger priority for companies this year.

Boards are turning the screws to their security and risk executives to bring a lot more rigor to how they track key performance indicators (KPIs) and key risk indicators (KRIs) — and how they use these metrics to advise and report to the board. Fundamental to both KPIs and KRIs are security operational metrics that track the scope of assets, cybersecurity activities around those assets, and measured security outcomes.

"Security teams use operational metrics to track and report on cybersecurity activities and outcomes," explains The Cyber Savvy Boardroom, a recent primer published by a pair of longtime cyber-risk leaders to help directors and executive leaders wrap their arms around cyber issues. "When shared with the board of directors’ risk or audit committees, these key performance indicators illuminate the organization’s cybersecurity capabilities and the efficiency of cyber controls while also helping the board of directors evaluate the adequacy of investments in technology and talent."

Co-authored by Homaira Akbari, CEO of global advisory firm AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netskope, the book covers a lot of ground, but some of the most vital parts of the primer focus on metrics. Dark Reading summarizes and excerpts from the tome here to present the most common metrics that Akbari and Naidoo believe to be crucial for CISOs to track and share with the board in order to report on risk levels and security performance.

The caveat, of course, is that security leaders need to be able to roll up these metrics into assessments and dashboards that are easy to digest. As explained in the primer, the metrics detailed in each category create a data-backed model for determining the efficacy of an organization's program and identifying gaps in protection.

"The conclusions of these assessments should be summarized in several overall ratings and included in the company’s cybersecurity dashboard," Akbari and Naidoo explain.

Data

These metrics should scope risk around data assets and track performance in key protection measures for data security, resilience, and continuity. Some of the metrics Akbari and Naidoo advise CISOs to track in this category include:

Financial Assets

Financial asset risks and losses are included in this grouping of metrics, which should give a measured feel for financial consequences from recent breaches. Some metrics the authors suggest tracking (based on past quarters or over the past year) include:

While not specifically listed, data on financial losses from business email compromise (BEC) and indirect breach response costs would also be valuable to track.

People

Whether it is falling prey to phishing or BEC attacks — exposing data by not following policy or exposing systems in other ways — people are usually an enterprise's biggest vulnerability. While it may be hard to measure the efficacy of security awareness training, there are some good proxies to get a general sense of how well an organization's people are adhering to security best practices and policies. The authors suggest the following metrics in this category:

Other metrics not directly mentioned but are still relevant include the results from phishing simulations, knowledge assessment scores, and behavioral or account data about high-risk individuals.

Suppliers

With third-party risk management and the digital supply chain security on the forefront of many executives' minds in the wake of events like SolarWinds, boards will want to be informed of supplier-related security operations risks and performance levels. Akbari and Naidoo believe CISOs would do well to keep the business attuned to trending data and metrics around:

Data about suppliers will likely have a lot of overlap with metrics about enterprise applications (see below), as application security teams start to look at software supply chain risk, including risky dependencies from third-party code and components.

Infrastructure

Whether on-premises or in the cloud, IT infrastructure exposures and security capabilities in mitigating risks across the network and hardware assets should be appropriately monitored and measured. Some operational data that the authors suggest in this category include metrics around:

User-Controlled Devices

CISOs should be able to give board members a feel for the level of control their organizations have over shadow IT and other user-controlled devices operating on the network. Akbari and Naidoo say the following common metrics should be on the radar:

New Technologies: IoT

The scope and scale of Internet of Things (IoT) devices has opened up significant risk to enterprises over the course of the past decade. The authors suggest that CISOs provide some risk metrics around these, including:

While the focus is currently on IoT, the same approach could work for all emerging technology. AI, for example, could include metrics around AI use and — with some emerging AI security tooling — risk exposure levels from AI use in the organization.

Enterprise Applications

Whether it is from commercial software or applications developed in-house, applications present some of the biggest attack surfaces in the enterprise today. Akbari and Naidoo offer a couple of common metrics boards should be apprised of:

There is no shortage of additional application security data and metrics that can help track performance and risk levels across application portfolios. Consider including data such as rate of automated versus manual code review, time to fix critical vulnerabilities, open rate of critical vulnerabilities, and metrics that add context about exploitability or business value of assets with known critical flaws.

Testing Security Posture

Security validation and testing is an important part of a security program, so CISOs should be beholden to track not only the results from security tests, but also the rate at which they conduct testing. Some metrics that fall into this category, according to Akbari and Naidoo, are:

Incident Detection and Response

Boards of directors will be very interested in a security team's ability to detect and respond to incidents. Akbari and Naidoo recommend some of the following common ops metrics to track this:

• Volumes and % of actual incidents versus intrusion attempts

• Mean time to detect

• Mean time to contain

• Mean time to remediate/resolve

• Red team scores and discoveries

Additionally, CISOs may benefit from offering metrics and results from tabletop exercises and attack simulations if these are activities they engage in.