While this seems obvious, in practice, it’s not so easy to do consistently. While there are many tools that can help here, let’s focus on using security metrics for this purpose. In other words, how can we use security metrics to keep us safe.
In this spirit, here are top tips for leveraging security metrics to keep your organisation from being harmed:
Keep stakeholders informed: Regardless of your security organisation’s maturity level, most key stakeholders want an accurate read on the security program more than anything else. That’s the case even when the program is not as well-oiled as it should be. Executives, management, customers, partners, and other stakeholders want to know that the security team is continually maturing and improving, and that they are actively reducing and mitigating the risk that the organisation faces. How the team is tracking in relative terms and when and how it will get to the desired level of maturity is typically more important than where the team is today in absolute terms. It is precisely because of this that developing meaningful, relative, clear and concise metrics is so important. Allowing stakeholders to easily track your trajectory reduces doubt and the volume of ad hoc questions and inquiries the team will get. This, in turn, helps to keep the security organisation out of the lion’s den of uncertainty and lack of confidence that poor metrics creates.
Monitor risk: The security organisation’s responsibility, first and foremost, is to reduce and mitigate risk to the organisation. As you can imagine, it’s much easier to do so when an effective means by which risk can be measured is in place. This is one area in which metrics can provide great advantages by giving us a framework through which we can track and monitor risk over time. Doing so requires taking the time to understand which risks take the highest priority when it comes to measurement, and subsequently devising a means by which those risks can be measured over time. This is not a trivial undertaking, but it is one that pays huge dividends. When done properly, measuring risk allows the organisation to keep an eye on areas where risk may be rising to unacceptable levels, potentially putting the organisation into the lion’s den. Effective risk metrics are another great way to keep the security team out of dange.
Monitor progress: If you’ve made some good choices, your security organisation will mature and improve over time. But all of that effort is for nothing if you don’t have an effective way to measure that progress. Developing the right progress metrics isn’t an easy task, but it is a worthwhile one. Once you prioritise the list of functional areas that are important to your stakeholders, you will need to develop objective measurements to track and trend the team’s progress. These measurements will need to stay consistent over time. They will also need to be understandable and relatable to your stakeholders and evaluators. More important than where the team finds itself today is that it shows a consistent upward track. If progress in specific functional areas begin to stall out or recedes, those areas will need to be addressed. Having the ability to measure continually and to efficiently identify snags along the way can help keep the security organisation from treading in deep water that results from stagnation.
Benchmarks: While many categories of metrics compare the organisation to itself over time, performance metrics are not one of those categories. Before we can discuss performance metrics, we must discuss the topic of benchmarks. Benchmarks provide us a way to understand where we sit compared with peer organisations, industry standards, third-party organisations, and best practices. While there are no hard and fast rules for finding the benchmarks that suit the organisation, it is generally helpful to look at where organisations that are of a similar size, budget, geographic location, and industry fall along a number of performance criteria. However you decide to slice this data and whatever sources you opt to get it from, it should remain consistent throughout your reporting to ensure that performance is measured against a constant scale. Benchmarking is the first step towards staying out of trouble that results from poor performance metrics reporting.
Monitor performance: Once the appropriate benchmarks have been determined, the security team can set about measuring its performance. It goes without saying that it is important to be as objective as possible during this pursuit. The ideal performance metrics are objective and analytical - operating on precisely the right subset/slice of data. How these metrics are devised will depend partially on the benchmarking that has been done and partially on stakeholder guidance. Regardless of what set of performance metrics is agreed upon, they should be reported against consistently with an eye towards continual improvement. If performance begins to drop in one or more areas, that’s a sign that the security organisation could be better.