10 reasons to get excited about cybersecurity metrics and measurement

September 22, 2022

Charlotte Jupp

Reporting, measurement, and metrics are not at the glamorous end of cybersecurity. However, a quality security measurement programme can bring a range of exciting benefits.

Many security pros look at reporting as an unfortunate but necessary time sink. But that might be because they’re still knee-deep in manual reporting. Which means they won’t have tapped into the massive benefits that come from getting accurate metrics and measures on your security controls.

Automating security measurement allows you to take huge steps towards improving your security posture, maximising your current arsenal of tools and controls, and ultimately helping to stop preventable breaches.

So, here are 10 reasons to get excited about cybersecurity metrics and measurement.

 

1. Drive accountability

Our customers cite accountability as one of their biggest cybersecurity challenges. All organisations struggle with it, but it’s a particular thorn in the side of a cybersecurity team, because they’re so reliant on collaboration with other departments to get the job done.

A good measurement programme brings with it the benefits of understanding ownership. Once you know who’s responsible for every asset, whether that’s a laptop, server, application, or even patch, you can drive accountability far more effectively. If you can prove when issues are fixed (such as remediated vulnerabilities) beyond a yes/no from your ticketing tool, this can also support accountability across the organisation.

It is also important to understand the difference between executive/business accountability and technical accountability. The difference being who owns the risk and who is responsible for remediating the risk. If you understand the business accountability, it means it’s no longer just a cyber or IT problem but a business problem too, which helps drive change and get buy-in.

 

2. Attest to oversight functions

Whether it’s answering compliance questionnaires, reporting to the board, or a third-party audit, the cybersecurity team is always under scrutiny. In fact, one of our customers recently told us: “As CISO, I am the most scrutinised person in the company.”

Metrics and measurement are essential to accurately attest the effectiveness of your cybersecurity programme. By having rigorous and accurate metrics and measures, you can build trust with oversight functions.

This is especially the case if you have the capability to quickly and easily drill down and cut the data in different ways. It means you can easily pivot and report to different functions with the same baseline data but with a different focus.

Increasing the maturity of your metrics and measurement programme with automation garners further trust by creating a repeatable, ongoing process without the possibility of human error. You’re all on the same page, nobody questions the validity of the data, and collaboration is faster, more effective, and less stressful.

 

3. Uncover gaps and risks

One of the most useful types of metric is the coverage metric. These highlight gaps in tools and controls that represent potential cybersecurity risk.

If you want to go further, you can layer up coverage metrics. If you are measuring the coverage of your EDR and AV, you can highlight compound risks by identifying those devices that have neither EDR nor AV. This can be a powerful metric to identify and prioritise risks.

 

4. Prioritise for maximum impact

As cybersecurity professionals, we know it’s impossible to be 100% secure. You can’t fix every vulnerability, stop every attack, or plug every gap. That’s why you need metrics and measurement to help prioritise your efforts.

If you can measure which problems pose the most risk based on business context, you can take action to make a positive impact on your cybersecurity posture.

For example, say you have 100 critical vulnerabilities. From business context, you know that 10 of those affect machines that are critical to your payments process. And then you find that one of those machines is not covered by AV. That’s a priority as it poses a larger compound risk.

 

5. Solve a specific risk

Last December, security teams scrambled to deal with the impact of Log4Shell. Our customers used their metrics programmes to help remediate the vulnerability.

Our “Campaign” functionality accurately measures remediation efforts in real time, which proved a more effective tool than regular ticketing systems. This can also be used to streamline future remediation efforts against other critical vulnerabilities.

 

6. Elevate the conversation

When you’re reporting to bodies like the board, you can use security measurement to elevate the conversation from cyber risk to strategic business risk.

Cyber risk without context is irrelevant, but so is policy that isn’t followed. If your measurement programme considers both business context and policy, you can measure business risk more accurately.

By contextualising cyber risk within a policy compliance framework, you allow more meaningful conversations where multiple stakeholders (such as IT or the board) understand security imperatives, security understands the constraints of those stakeholders, and everyone understands the business impact of a security breach.

A CISO can then talk in terms of non-compliance with a policy that is now business-aligned. They can show exactly where and why failures are happening, and request the necessary support from the board, whether that’s budgetary or cultural support.

In general, a board is well versed in their business so can understand why certain products (e.g. applications) or functions can drive or hinder their success. Making the security conversation align with this improves both the organisation’s understanding of risk and  your ability to get budget.

 

7. Set up your team for success

Measurable targets are better targets. While many of the metrics and measures we talk about are used for reporting to stakeholders, there are others that can be used by the security team themselves.

A good metrics programme provides a baseline against your internal policies, from which a team can set achievable and realistic goals, and then transparently measure their progress.

Are we patching within policy? Are our tools and controls deployed effectively?

It can also help with resources. Are you structuring your team to be successful by allocating budget to the areas which need it most?

 

8. Demonstrate success

When you’ve done great work, you want to show it off. We often think that if nothing happens, we’re doing security well. And that may well be true. But there’s always something we can improve.

Have we effectively migrated to a new EDR tool? Have we eliminated a new vulnerability, a la Log4Shell? Is our inventory complete?

But it isn’t just about one-off goals, a mature metrics programme allows you to demonstrate progress over time. Can you prove you have improved your organisation’s overall security posture? For example, by maximising the coverage of your tools and controls? Or by fixing new critical vulnerabilities in a timely manner?

The aforementioned Campaign feature proves you have completed a scope of work, such as addressing a specific set of vulnerabilities, when more are coming in all the time.

 

9. Benchmarking and best practice

Accurate metrics can help you benchmark against frameworks, standards, and your own policies.

But it isn’t always easy to get benchmarks for all security metrics. There isn’t a lot of community sharing around “what good looks like”. Your CMDB is 90% complete. Is that good? Bad? Medium?

At Panaseer, we help our customers with guidance on benchmarking and best practises based on our partnerships with framework organisations and experience with security measurement across industries.

Benchmarking is also helpful in communication with the board too. The board is used to thinking about how their competitors are performing, so it can be useful for the CISO to talk in terms of risk appetite compared with the “competition” too.

 

10. Justify spend and get buy-in

When you’re measuring your security, you’re essentially collecting evidence. Use it to provide proof of your security posture, and of the effectiveness of the actions you take to improve it. If your measurement programme is capable of that, you can justify spend, make recommendations, and get buy-in for future projects. 

 

How can you automate security measurement?

Automating security measurement can be a tough but rewarding exercise. We’ve spoken to many organisations that have put millions of dollars and thousands of hours into building an in-house solution, but it can be difficult to build a scalable automated measurement programme.

Panaseer automates security measurement, metrics and reporting, with a Continuous Controls Monitoring platform, allowing you to proactively understand and manage your security posture. By ingesting data from across security and business tools, the platform identifies missing assets, gaps in the coverage of tools and controls, and applies business context to measurement so you can prioritise business risk more effectively.

So, yes, measurement and reporting may not be the most glamorous. But it’s crucial for proactively improving security posture and cyber hygiene.

 

If you’re now excited about security metrics, we will be at FS-ISAC on 10 Oct in Scottsdale, Arizona. Look out for our presentation “What metrics to measure” on Monday, October 10, at 2:30pm – 3:15pm.