Hear from CIOs, CTOs, and other C-level and senior executives about AI data and strategies at the Future of Work Summit on January 12, 2022. Learn more
This article was contributed by Joe Partlow, CTO, ReliaQuest
Traditionally, the end of the year has been a critical time for organizations to finish their preparations for the coming year. New budgets are allocated and it is up to department leaders to communicate last year’s metrics, results, and challenges to justify additional spending for next year. In 2021, cybersecurity was in the spotlight like never before, with Cybercrime increases 600% due to pandemic. Because of this, organizations are forced to tackle cybersecurity with direct orders from above – the CEOs and board members.
However, among all the metrics department leaders analyze, one of the hardest things to track is security progress and effectiveness. In fact, measuring this progress remains the main obstacle For organizations looking to implement an IT security risk management program, it is essential that cyber leaders understand how to communicate this to top management effectively.
As companies begin to implement plans for 2022, it is important that security leaders meet first with their direct reports to discuss which metrics to track, so that the basis for measurement is clearly established. Once that is resolved, both parties will need to align themselves on ways to continually review and adjust these metrics to ensure the plan does not become obsolete.
Create a baseline for next year
When it comes to reporting metrics in an organization, it is critical that all department leaders have a conversation with their direct reports at least three to four months before the reporting stage. This is a crucial step in ensuring that the department leader is well prepared and can determine which results will best resonate with the board. From a sales standpoint, this conversation is pretty straightforward. How many sales leads are you receiving per month? How many of them turn into successful sales? How good are you at talking to potential clients on the phone?
However, from a cybersecurity standpoint, tracking effectiveness and displaying ROI for the C-suite and the board is more complicated. There are no monthly quotas to meet, and many team leaders struggle with ways to show performance.
Deciding which metrics to track depends on a number of factors, such as the size of your organization, how many customers you have, or even where your company headquarters are located. That said, there are several aspects of an organization’s security posture that should be tracked for companies of any size.
Align with security metrics
One of the most important skills a security professional can develop is telling a complicated story to a non-technical colleague, and since 63% of security managers If you think board members don’t understand the value of new security technologies, telling this story can be challenging.
The easiest way to have this conversation is to lead with metrics. While these will vary by organization, look at the following metrics that all security team leaders should be aware of and the tactics for communicating that progress to the board.
- Level of preparation– This metric should be constantly monitored as it shows how prepared a company is for an impending breach. It is also one of the most difficult to communicate to the board because there is no fixed, quick number that quantifies how “ready” an organization is. However, encouraging employees to keep corporate network devices up-to-date and patched is a practical step and a metric that you can report and track to keep your organization safe.
- Tool efficiency: This is important because, as a security leader, you are responsible for providing information about the tools and services that the security team should invest in. There are many services that will give you a snapshot of the average rating of third-party providers, which can be continuously verified. turned on and presented to the board. These ratings are an effective way to show progress to a non-technical employee and justify the budget required for a specific security infrastructure.
- Attempted breaches or security incidents: While difficult to argue, this is a necessary metric to communicate. It can show how many times attackers not only tried to attack the corporate network, but also how many times they were detected and blocked. Highlighting a decrease in the number of times these events occur year over year will be a key benchmark for board members to measure to determine the success of their safety programs and where changes may be necessary.
- Meanwhile, to detect, resolve and contain attacks– These three need to be tracked separately, but analyzing these metrics together can provide new insights into where certain parts of an incident response plan may be missing. These measures provide significant value to board members when you try to convince them to invest more resources in security tools that will make the company’s response to a potential cyberattack as fast and efficient as possible.
- Trends and risk mapping for the business: Demonstrating that the security program is addressing the most significant risks to the business is critical to gaining board buy-in and support. Mapping critical business risks back to the security controls and technologies you are implementing is the best way to show ROI along with trending results.
All good plans need to be constantly reviewed and adjusted, and that’s especially true for cybersecurity. The threat landscape promises to evolve, and cybercriminals are constantly taking advantage of new attack methods. This is not something that leaders and security organizations should think about only during planning and reporting seasons, but throughout the year. Without up-to-date response plans and strong security metrics, sophisticated attackers will outpace your organization.
Security leaders will be able to mitigate some of the most common mistakes and oversights organizations make by taking the time to determine the best way to measure progress and therefore effectively communicate their needs to the C-Suite and the directory.
Joe Partlow is CTO of ReliaQuest
Data decision makers
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data-related information and innovation.
If you want to read about cutting edge ideas and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider contributing an article of your own!
Read more from DataDecisionMakers