Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12:55 PM
Joan Goodchild
Joan Goodchild
Edge Articles

6 Unique InfoSec Metrics CISOs Should Track in 2020

You might not find these measurements on a standard cybersecurity department checklist. But they can help evaluate risks you haven't even considered yet.

(image by Artur, via Adobe Stock)
(image by Artur, via Adobe Stock)

Return on Investment

ROI is nothing new, but it still might not have made it into your Information Security department. (You might have even done your very best to keep it out.)

Nevertheless, Roger Hale, CISO-in-Residence at YL Ventures, says "I prefer to provide metrics showing the value of the past investments, as well as where there is still risk to be addressed. Focus areas include data showing our Cyber Insurance levels, external internet risk scores, the executive summary of our annual third-party risk assessment, with agreed-upon mitigation/remediation activity, and our security program coverage map broken out by CSF categories of: Identify or (Visibility), Protection, Detection, Response and Recover. This approach provides the board with information they need to assure that the company is investing in the right areas of security and privacy and helps them to accept the residual risk."

George Wrenn, CEO of CyberSaint Security and former CSO of Schneider Electric has a mathemathical equation he uses for ROI measurement, which looks like this: (Mitigation coefficient X (Likelihood X $ Impact) - Cost of Completion)/Cost of Completion.

"The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST's methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie."

Related Content:


Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
7 of 7
Print  | 
More Insights
Flash Poll