Security Metrics Must Tell a Story That is Relevant to Your Business

Tenable recently sponsored the publication of an ebook, Using Security Metrics to Drive Action. This ebook is a compilation of thoughtful essays from 33 CISOs and other experts, who all share their strategies for communicating security program effectiveness to business executives and the board. Their first-hand experiences are insightful and offer best practices that you can implement in your own organization.

In this blog, I’d like to share my own thoughts on why metrics are crucial to your security program and how they should be presented to your executives, based on my many years of experience, consulting and technical advisory work that I’ve done with Fortune 500 firms and national governments.

Metrics must tell a story

Most chief executive officers (CEOs) and board-level executives assume that the security team is doing its job. No one goes out of his or her way to build an insecure network, but the metrics that matter are ones that tell a story in the context of a business reality. That story shows where things stand and justifies an action that will improve business performance. Those are the metrics that matter to the CEO. Part of your job as a security professional is to know which metrics are important for the situation at hand.

Metrics describe problems and point to solutions

For example, say that you’re head of security for Acme Widgets, and you recognize an issue that requires a high-level decision. You request a meeting with the board. You might begin by explaining how computer security affects the business. You’ve had malware outbreaks that caused widget production lines to shut down six times in the past year, and each shutdown resulted in a median cost of $150,000 in lost production and remediation. A root-cause analysis of those incidents revealed that all six resulted from malware infections on desktops initiated by phishing attacks. Further analysis revealed that they all came from the same business unit. Additional interviews showed that the security requirements for this group do not match their accessibility requirements.

You then recommend changing the desktop environment. That will cost $XX, but in the upcoming year it will save the company $XXX. Furthermore, you offer to report back in six months about whether the savings have materialized and possibly recommend that this approach be extended to other parts of the company. In the course of your presentation, you move through slides, and each slide is based on an underlying data point. Taken together, these data points describe a problem and point to a solution that is available if Acme Widgets makes a change or takes an action.

Cost projections back up your suggestions

Here’s another scenario where metrics tell a business story. Acme Widgets has been using an internal cloud for a year. Now, it wants to expand cloud services to business partners. As head of security, your first instinct might be to say, “Don’t do that.” But the CEO has a business plan, with numbers showing how much money the company will make. As the CISO, you can say, “This is great, and the security team looks forward to helping.” You can then note that when the cloud system went live for internal use, the incident response rate tripled, and making it available to business partners is likely to at least triple it again. Revenue and cost projections should factor in as resources needed to handle the anticipated increased volume of incidents. That will cost $XX. In this way, you’re being a team player, offering a positive analysis with metrics to back up your points.

Security professionals must be completely tuned in to what’s important to the business. If you work for Acme Widgets and your security team has absolutely zero impact on widget production, you had best polish up your resume. But if it turns out you do have a potential impact on widget production, your security metrics must show that.

Security professionals must be completely tuned in to what’s important to the business

My favorite metric

So I must admit that I have a favorite metric that has proven to be useful in many situations. You should track the time between a reported vulnerability and when it’s fixed; then plot that time against the number of incidents attributed to that known vulnerability. I call that the ‘I told you so’ metric. It works every time.

More information

• I recently created a series of videos about Establishing Relevant Security Metrics for the Tenable Blog. The videos expand on many of these ideas and provide tips for getting started.
• Get your copy of the ebook, Using Security Metrics to Drive Action.
• Watch the Tenable Blog for weekly excerpts from Using Security Metrics to Drive Action. You can subscribe to the blog by clicking Blog email updates on the Blog Home Page.