2. Demonstrate ROI
Security investment metrics — such as the percentage of key business initiatives with embedded security processed — allow CISOs to demonstrate the return on investment (ROI) of security initiatives to executive leadership and stakeholders. This helps to justify budgets and investments by showing how these efforts contribute to risk reduction and incident prevention. “Regarding risk, it’s not cyber risk that stakeholders are concerned with; it’s the business risk from cyber,” Contos says. More specifically, it’s risks associated with revenue, brand, operations, and environmental, social, and governance, he adds.
3. Effective communication
Security awareness metrics — such as the percentage of business units with regular ambassador program engagement — help convey whether an organization is building a security-aware and risk-aware culture, providing “a common language for communicating security risks and improvements to non-technical stakeholders,” Kim says. CISOs can use metrics to explain the effectiveness of security measures and the overall security posture of the organization, something that has traditionally been a challenge for a lot of security leaders.
Bear in mind, CISOs that present very technical metric readouts to the board many times miss the mark as board members cannot contextualize them, says Fred Rica, partner at accounting and consulting firm BPM and former head of KPMG’s cyber practice “Telling the board you’ve blocked 100,00 events at the firewall is meaningless. Board members need to be asking (and CISOs need to be answering) three simple questions: What are we doing? Is it enough? How do we know?”
4. Risk assessment
Vulnerability management metrics — such as the window of exposure — help CISOs better understand an organization’s risk profile, and by monitoring trends and identifying potential vulnerabilities, they can proactively address security threats before they escalate.
“Ultimately, vulnerability management is about addressing the broken windows and unlocked doors of an enterprise, Kim says. “These metrics convey how long these doors are potentially open for and serve to roll up day-to-day operational activities like scanning coverage, time to analyze and prioritize, as well as time to patch,” he adds.
5. Continuous improvement
Security process improvement metrics — such as the percentage of incidents with the same repeat root cause — track progress over time, enabling CISOs to set specific goals. “This data-driven approach helps drive continuous improvement in security practices and fosters a culture of accountability,” Kim says. These risk-based metrics can then make their way into annual reports, corporate governance documents, and committee charters, as they should because security is strategic to the business, says Contos.