I have a few deceptively simple rules about metrics
- We should know the specific question each metric answers
- We should know why each question is important to the program
- We should know in advance what levers to pull if the metric goes off track
The most effective metrics a security program can report to leadership would be clearly linked to the larger organization's strategy. Anyone would see these as important and make the linkage/value of the cyber security team to the company an obvious one.
Determining the
important things for your cyber security program takes thinking, input, and agreement from
other execs. Unfortunately, these linkages probably
aren’t represented in the default metrics that come out of the box from your
security tools. Presenting inputs and outputs that are
critical to your security program ideally give your leadership team a “check
engine light” and an action plan long before there is a real issue that impacts
the company.
One of my team's best output metrics right now is the number of
revenue producing staff hours lost to security incidents. It’s an ambitious output
with a lot of white space and multiple inputs built into it that keep the team
focused on executing well in the weeds. It also has an obvious link to a company that wants to sell things. The executives already know that this
metric won’t be zero forever. If the metric begins to move more than a small
number of hours, it means that either the security threat landscape has shifted
in some way or we are lacking a key control that is impacting revenue. Perhaps it
means both. A significant movement in this metric means that I’ll likely have
to spend money. Perhaps even unplanned money. The execs already know this too.
If I know the average cost of a staff hour, the metric quickly approximates the
revenue impact when I present the cost of the new control to compensate for a
change in threats. That metric makes what used to be a hard conversation much
easier.
There is a business reality that security practitioners need to be aware. When a serious security issue arises, only four methods are available to a security leader for a remedy. These four are as follows:
- the metrics available that include the levers to pull for remedy
- existing relationships with other leaders in a position to manage the remediation
- ability to negotiate with those leaders in the absence of a relationship
- political chips to cash in to otherwise compel remediation.
Let’s say metrics don’t exist for a given issue that’s become
an emergency. Regardless of the tone of voice used for negotiation, the last
minute urgency without a compelling metric often comes across as shouting. It
does to me anyway. If you are shouting or coming across as such due to the
urgency, you may get the issue fixed, but you’ve lost. You might choose to use
political chips. This is tricky. Cash in
those chips too frequently and either you quickly are out of chips or those chips you have left
become worth almost nothing. Not a great scenario for long term success.
The best metrics become your remedy negotiation because they’ve already
answered the most important questions about the serious issue. They tell you
what’s happened and what levers to pull moving forward. The best metrics are
canaries in the coal mine that give the team the necessary time to rectify
whatever is wrong. Ideally, security
team member just has to metaphorically slide those metrics across the table and
remain silent.
SEE ALSO
Cybersecurity Needs Style Points
Intentional Choices For Security Teams and Digital Transformation
No comments:
Post a Comment