The metrics that quantify cybersecurity’s contributions to a business’ resiliency and growth matter most. CISOs and their teams who own dashboards and present them to senior management must clearly define how cybersecurity contributes to business goals. Identifying which metrics best quantify what value security delivers to a business is a valuable skill every CISO must continually strengthen. Data, not stories or anecdotes, are table stakes for measuring security’s value to a business.    

CISOs earning seats on the board 

What differentiates fast-track directors, VPs, and C-level executives progressing in their careers in cybersecurity is how they connect what they’re doing to deliver business value. They’re not relying on the hundreds of canned metrics that security tools can produce at the click of a mouse. Instead, they’re much more discerning in which metrics they produce and share. A strong focus is using metrics to improve endpoint security and showing it can deliver business value, for example.

CISOs who know how to manage and direct cybersecurity strategies to deliver business value and measurable results are increasingly invited to join their company’s board of directors. 

“I’m seeing more and more CISOs joining boards. I think this is a great opportunity for everyone here (at Fal.Con) to understand what impact they can have on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey. To keep business resilient and secure,” George Kurtz, cofounder and CEO, CrowdStrike, said during his keynote at CrowdStrike Fal.Con in September of this year.   

Metrics guardrails CISOs use 

CISOs from CrowdStrike customers VentureBeat spoke with following Kurtz’s keynote provided advice and guardrails on selecting and using metrics to communicate cybersecurity’s value to a business. Most important is providing only the metrics that support and show integrated value to corporate-wide balanced scorecards. Balanced scorecards speak in terms CEOs speak to their boards, so CISOs say that’s an immediate win for showing cybersecurity’s value in quantifying direct contributions to the business.

Additional guardrails CISOs are recommending when selecting metrics for reporting cybersecurity’s value to the business include the following:

Tool-driven metrics often lack context, so use them sparingly

Given the rapid increase in malware-free attacks, there’s a tendency on the part of cybersecurity teams to add more metrics. Seeing more reported data as a panacea for rising risks that aren’t immediately understood, cybersecurity teams will turn on as many metrics as possible, looking for clues. Relying on antivirus, SIEM (security information and event management), security ticketing systems, vulnerability scanners, and more, CISOs’ teams generate an overwhelming number of metrics that lack context. 

CISOs warn that presenting metrics straight from tools without a narrative supporting them is a mistake. C-level executives and the boards they report to are more focused on new insights that are contextually relevant than a series of tactical measures.

Prioritizing user requests and knowing when to say no

Every new high-profile intrusion or breach drives up to a dozen or more internal user requests for new metrics. Managing user requests by how much value they provide to contextual intelligence and delivering business value is critical. CISOs tell VentureBeat it’s easy to say no to additional metrics requests when there is no connection to requested metrics that quantify the value cybersecurity delivers. 

The most trustworthy metrics are improved slowly and carefully over time

Contrary to the promises cybersecurity vendors make of having all the security metrics they need out of the box, CISOs tell VentureBeat that it’s in the continual fine-tuning of a small set of metrics that show cybersecurity’s business value. The most trusted metrics have a track record of accurately quantifying how security spending improves resilience and safeguards growth.

“Make sure the metrics are simple enough for your C-suite or elected officials to understand without a long explanation. If the metrics are too complicated, they won’t help you, and they can even hurt you,” said Tim Roemer, director and CISO for the State of Arizona Department of Homeland Security. 

Keep accuracy, precision measurement and consistent monitoring in balance

Defining the context of a metric with data is far more powerful than relying on stories or anecdotes. CISOs told VentureBeat that the knee-jerk reaction to a rise in intrusions and breach attempts is tightening metrics’ granularity. Trying to derive more accuracy and precision than a metric is designed to provide is a guardrail some CISOs rely on. Instead, data consistency over time helps provide context — precisely what C-level boards want regarding cybersecurity spending and results. 

Which cybersecurity metrics matter most?

When cybersecurity professionals first become CISOs, they often concentrate on establishing a measurable baseline of security levels and risk management. However, as cybersecurity vendors continue to improve their use of predictive analytics and machine learning, there’s more reliance on scoring relative levels of cyber-risk. CISOs should also start tracking activity-based metrics, including clock rates on phishing training emails, as they help strengthen training programs and contribute to a more effective human firewall.

“We partnered with RiskSense to have all our agencies represented by credit scores of cyber-risk. This helped drive our enterprise security program as a high priority to help agencies improve those scores by adopting our tools. As we improved our risk score, we kept increasing the target goal and created competition among agencies. The results were shared in cabinet meetings with the Governor,” said Roemer.  

Apply zero trust to cyber and physical security 

CISOs told VentureBeat that intrusion attempts and threats are increasingly crossing over between cyber and physical attack vectors, especially on corporate campuses and government buildings. Least-privilege access is just as relevant to a badging system as to any enterprise data system, data store or network. Processing plants that rely on industrial control systems (ICSs) are primary targets for cyberattackers looking to use simple USB drives to infect an entire plant with ransomware. Electrical, petroleum and power processing plants run on ICS systems that aren’t designed for security. Relying on air gaps to secure ICS systems is one of the riskiest strategies. There’s a breach epidemic happening in manufacturers and plants running ICS that zero trust can help alleviate.

“Zero trust is just as important to physical security as to cybersecurity. So, therefore, it works well across the board as a sound strategy for our department. Just like we don’t want an employee to have badge access to the entire Capitol, we also don’t want an employee with admin rights being able to access state data that they don’t need access to,” Roemer told VentureBeat during a recent interview.

Privileged access management (PAM) and identity access management (IAM) are core to many zero-trust network access (ZTNA) initiatives and can provide valuable contextual data on cybersecurity’s contribution to a business. For example, it’s common to find CrowdStrike and Elastic dashboards being used to track admin account usage statistics. CISOs tell VentureBeat they’re also using the data from CrowdStrike to complete periodic audits and assessments of login attempts, last login dates, password change history and privileged access histories.

Endpoint threat detection is a must-have 

Nearly every potential intrusion or threat activity an organization faces starts with endpoint attacks. The typical endpoint has 11.7 security controls installed, each decaying at a different rate, creating multiple threat surfaces. Absolute Software’s 2021 Endpoint Risk Report found that 52% of endpoints have installed three or more endpoint management clients, and 59% have at least one identity access management (IAM) client installed. According to a recent Tanium survey, 55% of cybersecurity and risk management professionals estimate that more than 75% of endpoint attacks can’t be stopped with their current systems, making metrics aimed at preventing endpoint attacks a priority. 

Knowing what’s on every endpoint and where every one of them is is core to a successful ZTNA strategy. Absolute Resilience, CrowdStrike Falcon, Ivanti Endpoint Manager, Trend Micro, SentinelOne and others are leaders in endpoint protection platforms who can track each endpoint asset and its configuration. Having all that data on a single pane of glass is what CISOs are looking for to gain contextual insight and show that cybersecurity is delivering value. 

When VentureBeat asked Roemer how vital threat detection is as a metric, he said, “It’s extremely valuable. The CrowdStrike dashboards we use are a huge upgrade to what we had before, and I can’t even imagine being a CISO without them. In addition, whenever we set up CS for our agencies, they always provide us immediate feedback with glowing results.”

When asked how he’s achieved the goal of combining endpoint protection and asset management as a core part of the department’s goals, Roemer says that “CrowdStrike and Tanium work well together for our entire enterprise security program. This was a game-changer for us when the pandemic first happened, and it continues to be of critical importance to us with the increase in teleworkers. It allows us to monitor software on our endpoints and push the patches remotely.”

Endpoint visibility metrics are valuable in proving security’s value across organizations. Concentrating on tracking open and remediated vulnerabilities by endpoint type, location and segmentation are table takes.  “Our inventory management tool through Tanium is a lifesaver for seeing what is connected to our networks. Being able to see several vulnerabilities remediated quickly and number of vulnerabilities open is beneficial,” Roemer said.

Mean time-to-detect and mean time-to-recover 

Both metrics measure security’s level of operational efficiency and how well-coordinated security is across other departments. For example, CISOs typically rely on mean time-to-detect as a high-level metric average across sectors to understand how well systems detect events. Examples of the specific measures include the dwelling time of threat actors. It’s also used as an internal metric to quantify how quickly the security operations center (SOC), combined with tools, can detect incidents.

Getting an accurate measurement of mean time-to-recover is more challenging because it’s not always a performance measure of the security team, said Roemer. He said that to get an accurate measure, it usually requires IT operations and business support, and depends heavily on preparation as input to improve the metric, including good offline backups, resilient cloud environments, business continuity, contingency and disaster recovery plans. 

“What we can do to assist here is ensure that agencies comply with statewide policies which require contingency planning, incident response planning, and help with periodic testing and exercising of these plans so they can be best prepared to respond to and recover from a major incident,” Roemer said.

Time to put dashboards on a diet 

Most dashboards have too many metrics to communicate the value that cybersecurity delivers to a business. It’s time to take a hard look at the dashboards and trim back any metric that doesn’t impact resilience, growth or endpoint security. Every new widely publicized breach leads to at least a dozen new metric requests. Adding more metrics isn’t the panacea for fear of a breach. Having reliable, trustworthy data is.