Implementing a Security Metrics Strategy: Where to Start

The call for security measurement is, unfortunately, a reactive movement. Security breaches are in the news every day, and very few businesses haven’t felt the burn of a cyberattack. We like to think that breaches occur as a result of some incredibly sophisticated and intelligent cyberattack, but the fact is that it usually comes down to missing fundamental components, all of which are measurable.

Not only are security breaches occurring more frequently, but boards, shareholders, and the C-suite are now asking for quantifiable assessment of security risk as well. They want to see true security posture measured within their organization. So where do we start?

Understand That Without a Goal, You're Just a Data Collector

Without a doubt, utilizing security tools, and the data they provide, is an imperative part of assessing your risk and measuring your security. However, data collection alone is not a security metrics strategy. Without first establishing what measurements are important to your organization, you’ll end up buried in numbers without any context or understanding with which to guide meaningful analysis.

A winning security metrics strategy will always align with the business’ security objectives. Only by considering the goals, critical processes, operational risk, and threats, can we arrive on a metric strategy that accurately assesses the risk.

Apply Existing Industry Standards and Security Frameworks

The CIS 20, ISO Framework, and NIST Cybersecurity Framework are examples of existing standards that provide both measurement and guidance. The problem is, they’re not being used enough. These standards and reference guides have been around for years, but there’s no mandate that organizations have to use them. Without a compliance protocol, or anything else regulating security measurement, many organizations are lacking.

Other measurements such as MTTI (mean time to identification), MTTC (mean time to contain), vulnerability scans, and SIM exist to collectively help in the event of a breach, determine security gaps, and raise alerts in the event of a security issue. These similarly standard tools and metrics are more frequently used because they’re easy to implement and run.

Each of these examples are a small piece of the total security metrics pie. You have to bring all of these areas of data together in order to see the forest through the trees.

Value Qualitative Data as much as Quantitative Data

Data can be divided into two categories: Empirical-based quantitative data, and its experiential sister, qualitative data. There is often confusion between the two approaches as each has its benefits, but neither is better nor worse than the other. They often answer different questions, so it’s vital to choose the correct one for each query. Both may play a vital role in the execution of your security metrics strategy. 

The problem with qualitative, subjective measuring is that it leads to inconsistent results, which can be intimidating to try to analyze. However, sometimes we have to be subjective because we lack the empirical data to avoid it. We just need to be wary that subjective data can show bias and yield inconsistent measurement between people, or even by the same person over time.

Kickstarting a winning security metrics strategy means that you’re making the most of your measurements. Ensure that you’re not collecting irrelevant data that doesn’t correlate to your overall business objectives. Whether your data is qualitative or quantitative (or better yet, a mixture of both), each measurement should address a specific question about your organization’s goals.

For more guidance on how to implement a security metrics strategy, check out our eBook, Security Metrics Strategy for Improved Risk Management.