Over the past decade, organizations have started recognizing the huge importance cybersecurity plays in keeping their data secure and their customers and employees protected. A large part of the action they’ve taken has been monitoring their systems to detect abnormalities. However, monitoring is a passive act that plays just a single role in a comprehensive information security program. It’s the proactive step of measuring that most determines the effectiveness of your security controls and the likelihood of a security incident.
Your IT department is probably already performing a good amount of measuring. The issue is, they’re focusing on measuring technology performance and availability, not levels of risk and security effectiveness. Organizations must introduce information security metrics that identify security risks that lead to corrective actions or adjustments to controls.
What Makes Up Good Security Metrics?
Metrics come in many different types — outcomes, performance, policy, probabilities, process, quality and trends — but they can be useful or irrelevant. Good metrics are: consistently measured, expressed by a concrete number or percentage (instead of vague terms such as high, medium and low), use one unit of measure (e.g., hours, dollars and deficiencies), and are actionable, accurate, timely and predictive.
You can find metrics in surprising places. Department and project budgets, audits and assessments, vendor reports, proposals, business strategies — all of these sources offer opportunities for measurement when you’re focusing on the right areas. Pinpoint these areas by asking yourself questions like:
- What are our strongest and weakest security points?
- What are our biggest security threats or concerns?
- Have we mitigated all reasonably foreseeable information security risks?
- Are we compliant with contractual, statutory and regulatory requirements?
- Are we identifying emerging information-security issues?
- Are our security resources properly allocated and are we investing enough in them?
- Can we handle compromises, breaches and other security-related incidents effectively and efficiently?
Your organization’s technical, physical and administrative controls all play a role in providing metrics that help you determine if your information security is effective and what actions you need to take to improve its effectiveness.
How Much Should My Security Metrics Change?
A key factor of success is the ability to adapt your metrics based on your organization’s needs and how it is changing. Some criteria will be static, but businesses are always evolving to stay competitive, grow market share and become an industry leader. That means new technology, new processes, new people and new goals — all of which contribute to information security risk. Adapting metrics to accommodate change will help you stay on top of information security and lessen the risk of a catastrophic incident like a data breach exposing confidential information of your customers.
One major component to updating metrics is making sure your data is accurate and being interpreted correctly. There are common data analysis pitfalls you can avoid by asking questions like:
- Are the numbers lying because the raw data is wrong or the analysis is faulty?
- Are the numbers misleading because they don’t take into account all the relevant factors?
- Has something changed that makes the metric irrelevant or incorrect?
- Are the numbers and analyses, in fact, correct and your intuition is wrong?
Sometimes the intuition of a knowledgeable, experienced person can save the day, but other times, the numbers reveal something unexpected and concerning. Asking these questions can help you determine how to correctly interpret your data.
How Do I Make My Security Metrics Usable?
In order to improve information security and lessen risk, your metrics need to be understandable and usable, which means you need to take them from their raw form and make them digestible. Using maturity models, scorecards, benchmarking and statistical analysis adds this essential value to your metrics.
When it comes to scorecards, there are some best practices organizations would be wise to follow. All information shared should be relevant, reader-friendly, insightful and concise. It should contain summaries and callouts, with graphics that visualize the information. It should be free of technical jargon and brief to avoid information overload.
Most importantly, your scorecard should communicate insights, not just information. Highlighting changes, trends and patterns is very helpful in making decisions, as is showing industry averages and relative performance against peers. And when you highlight any impact on crucial areas such as business operations, your bottom line or market share, you make it all the easier for business leaders to digest the information and use it to make vital decisions. Enabling dialogue and discussing solutions are key to making changes that protect your organization.
Keeping up with the everchanging world of cyberthreats and security best practices isn’t easy, especially when you’d rather be focusing on growing your business. But when one mistake or accident can lead to a data breach that costs your business big time in litigation, fines and reputation, it’s worth it to go to the specialists.
Put your organization in capable hands with Wipfli. We help you define your security metrics and establish a program that measures information security and provides effective actions to keep your organization — and customers — protected. Contact us to learn more.
Brotby, W. Krag and Gary Hinson. PRAGMATIC Security Metrics: Applying Metametrics to Information Security. Boca Raton, FL: Auerbach Publications, 2013.
Jaquith, Andrew. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Boston, MA: Addison-Wesley Professional, 2007.
Brotby, W. Krag. Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement. Boca Raton, FL: Auerbach Publications, 2009.