Literally every day we hear about new security breaches in the news. Very few businesses, and consumers, haven’t felt the burn of a cyberattack. One of the key takeaways from this steady onslaught is that for many companies there exists a profound lack of visibility when it comes to security. While we’d like to think that many of these breaches are the result of some incredibly sophisticated cyberattack, the fact is that in many cases, there were fundamental security control gaps that could have been identified from measurements within a formalized security measurement framework prior to any breach.
One positive outcome of the heightened awareness of security breaches is the increased desire by companies to quantify their security risk and ensure that the security program is aligned with the overall business objectives and strategies. What boards, shareholders, and the C-suite are asking for requires targeted security measurement.
As security-focused strategic advisors, we’ve partnered with many companies and executed security assessments that have revealed a range of operational maturity when it comes to security measurement. Generally, security measurement strategy falls into one of these simplified categories.
Security Measurement is Not a Priority
Too often companies consider security measurement to be an output of a security tool and only used when “asked for.” Sure, you’re supposed to “monitor” security or generally be aware of what is on the network, but this approach enables companies to assume all is working as it should be. Measurement is performed in silos and is rarely cross-correlated. This lack of focused measurement results in limited visibility and, as a result, increased risk.
Data is Actively Collected
Security measurement is considered important and metrics are being tracked, but data collected may not directly align with security program goals or give confident answers regarding security risk. Without question, there is no shortage of options as to what can be measured which can often lead to a “boil the ocean” or “measure everything” scenario. And companies tracking data without a meaningful strategy may miss critical information either because it’s overlooked or buried in an overwhelming amount of less-relevant data.
Security Measurement is Aligned with Business Objectives
The metrics that matter are different for every organization but are achieved utilizing a mature security measurement framework. Companies in this category have identified their program goals and, using a security measurement framework such as Goal-Question-Metric (GQM), have aligned both qualitative and quantitative security measurements. Their measurements can be used to inform cyber insurance spend, security mitigation prioritization and spend, and overall security risk management.
No matter where on the spectrum your program currently sits, ongoing efforts to improve security measurement is well worth the time. A thoughtful strategy prevents you from collecting irrelevant/redundant data and drawing questionable, non-reproducible conclusions. Whether assessing risk on your own or with the help of external security specialists, a mature security measurement strategy will help provide answers to critical questions about your security program and lead to meaningful analysis that can increase security visibility while reducing overall security risk.
For more about how to implement a security metrics strategy, check out our free eBook, Security Metrics Strategy for Improved Risk Management.