Anything can be measured and turned into a metric.
Some of these metrics are meaningful. Most aren’t. The most
meaningful metrics measure things that are related to your business goals.
You could measure the number of spoons in a restaurant and
the change in the number of spoons. Or, you could measure the relative
profitability of one restaurant against the others.
Which would be more
meaningful to understanding your business?
Cyber security has the same myriad choices of things to
measure. Most seem to be focused primarily on input metrics which measure data
points from tools. Again, some are meaningful. Others, may be easier to
generate but less meaningful.
For instance, a cyber security perimeter tool vendor may easily
highlight the number of malicious attacks that are being blocked at the
perimeter. A related but more valuable metric might be the number of attacks
that are getting through the perimeter. Harder to measure and likely the result
of data from multiple tools, but certainly more valuable in terms of your cyber
security program.
Efficiency metrics which measure some value in terms of unit
of value are also popular. These are most often expressed in units per dollar.
The best cyber security metrics answer to your business
goals. They are output metrics that answer key questions that link the success
of cyber security activities to measurable business goals.
For instance, revenue may be important to many
organizations. Every minute that revenue producing staff are dealing with
disruptive security incidents is time that they are not generating revenue. Perhaps
you could demonstrate the value of cyber security investments to the senior
executives by measuring how much revenue producing time has been lost to
security incidents.
This is a output metric that demonstrates direct value to the
business and assumes that you also are measuring the coverage of your tools. It is intended to be a non-zero value that
represents the outcome of a lot of white space in terms of controls, processes,
and tool efficacy.
If the value
constantly moves upward, perhaps you don’t have the right controls in place. If the number
stays relatively constant and then suddenly starts moving, perhaps there is use case that needs improvement or there has
been a change in the threat landscape that requires some change in your
defense.
In my organization, we measure this by staff hours. 40
employees for one hour equates to 40 taff hours lost. Five employees for 4 hours means 20 staff hours lost. It’s an ambitious metric but also allows
us to attach a meaningful monetary value to incidents that impact revenue. We can then have a
tangible value to compare to the cost of the controls need to mitigate this
type of threat.
By reporting measurable cyber security outcomes to
executives rather than posture, business executives have something that they
can understand, evaluate, and properly resource.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment