Moving from measurement to metrics in cybersecurity

CISO Public Sector Domain, Fortinet.

Over the past three years, IT and cybersecurity leaders have faced tremendous challenges as the world of work transformed before our eyes, customer preferences changed in no time, and the move to cloud computing and edge computing was accelerating beyond its already frenetic pace. IT leaders have built new infrastructure on the fly to support millions of new remote workers, students, and healthcare visits. And IT leaders across multiple industries have rapidly developed technology to make supply chains more resilient, service delivery more efficient, and employees more connected.

Navigating the “new normal”

As the dust settled in 2022, IT and cybersecurity leaders were able to get some fresh air and think strategically again. In 2023, they face growing expectations to not only enable secure connectivity and employee productivity, but also to support bold new digital transformation (DX) and customer experience (CX) initiatives. In many cases, these projects are necessary in a rapidly changing market, but they come at a time of increasing financial pressures in times of economic uncertainty.

For technology leaders, this means an increased need to justify investments when they are proposed and to demonstrate their impact after they are implemented. If an initiative is well planned and executed, it is relatively easy to do in terms of connectivity, worker productivity and ease of use. But as has always been the case, it is more difficult to quantify the specific impact of security investments.

Admittedly, it is relatively easy to show anecdotally that a particular investment has made things safer or that a future investment will improve safety at least incrementally. The problem is that in times of economic uncertainty, “good” is not good enough. As cybersecurity competes with a myriad of other business priorities, how can the CISO use an objective performance metric to quantify security return on investment (ROI)?

Go beyond basic motivations

It’s an age-old question for cybersecurity practitioners, but in reality, it’s not unique to the CISO team. If we step back and ask, “Why are we doing cybersecurity, or anything else?” we like to pretend that our thought processes are driven by facts and data. In practice, we generally act from one of four motivations:

• Faith – The belief that we are doing the “right thing”.

• To fear – Try to prevent damage to the business.

• External pressure – Carrots or sticks from governments, regulators, media or customers.

• Inertia – Do something because we’ve always done it before.

So, given these reasons behind the actions we take, why do we try to measure the results of what we do? In my experience, cybersecurity professionals typically measure to answer one of three questions:

How I go? Performance against benchmarks.

How can I prove it? Preparation for compliance audits.

How to do better? Attempt to improve through gap analysis.

Moving from measurement to metrics

But we need more than metrics to understand the impact of any initiative, including cybersecurity. It is of no use to us to know that the temperature in an office is 72 degrees Fahrenheit if we do not know what temperature is desirable. In this example, an understanding of the ranges of the thermometer corresponding to human comfort can be called metric.

Cybersecurity is quantitative in nature and therefore awash with potential measures. The problem is that we always tend to be bad at metrics. Or perhaps more accurately, as an industry, we cannot agree on the most appropriate metrics to paint an accurate picture of cybersecurity ROI. Ultimately, we need to understand what is being invested in, what functionality results from it, and what impact the investment has on the business mission and its overall risk portfolio.

Leverage best practices to improve metrics

A good grasp of cybersecurity measures can allow a security team to have a real impact in reducing risk, and even improving a company’s results. If metrics are designed effectively, they will incentivize a strategic approach that focuses on the big picture rather than solving each problem in silos. Security managers who understand metrics will take steps like these:

• Take advantage of new technologies. Moore’s Law means that new devices are not only more powerful than the ones they replace, but they also often have more functions. A new security appliance can often replace half a dozen old ones, improving ROI by simplifying administration across IT, security, and procurement teams.

• Embrace AI-driven automation. Artificial intelligence (AI) and machine learning (ML) are transforming security with real-time detection and response that previously required human intervention. Service providers make it easy for organizations to deploy this technology.

• Deploy CSMA. Gartner coined the term “cybersecurity mesh architecture” (CSMA) to describe emerging ecosystems of interoperability that enable enterprises to manage all cybersecurity from a single platform, even when solutions from different vendors in the safety stack. This type of integration is essential for both security and return on investment.

• Find a trusted partner. While larger companies may have the internal resources necessary to keep up to date with market trends and current capabilities, most organizations do not. The best CISOs have a small group of trusted advisors — perhaps a core vendor or managed service provider (MSP), perhaps a cybersecurity industry or organization — to help them understand the next step. more efficient at any given time.

Adopt measures in 2023

You have access to a myriad measurements of your cybersecurity stack. In an age of scarce resources, now is the time to refine your metric in a way that accurately communicates the real value your organization derives from your team’s investments. An integrated security infrastructure with up-to-date tools and protections reduces administrative and compliance costs while improving an organization’s overall risk profile. And it’s possible to tell that story in a way the CEO and board can understand.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?

Leave a Comment