In the rapidly evolving domain of cybersecurity, professionals often find themselves inundated with articles detailing the top metrics necessary for achieving enhanced performance, bolstering security posture, and effectively communicating with stakeholders, particularly those at the board level. Lists featuring metrics like Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and Average Vendor Security Rating are frequently highlighted. Their objective is to empower organizations to gauge their current positioning, strategize their future direction, and collaborate with peers to diminish risks and vulnerabilities associated with threats.
Despite these efforts, the cybersecurity industry continues to wrestle with establishing an effective framework for tracking and interpreting these metrics. Leading firms and cybersecurity experts are engaged in extensive discussions regarding "what needs to be measured." Influential voices in the field range from Google’s security leadership to various metrics specialists and risk rating authorities, all contributing to the broader conversation surrounding effective measurement practices.
While identifying which metrics to monitor is indeed a valuable starting point, the more intricate challenge lies in developing a methodology for continuous assessment. It is crucial to recognize that metrics do not exist in isolation; they must be interconnected to yield a thorough understanding of an organization’s security environment and performance in relation to various benchmarks, including risk tolerance and regulatory policies. Currently, there exists a considerable disconnect between cybersecurity measurements and the ability to maintain a real-time, comprehensive perspective. This gap impedes cybersecurity leadership from accurately assessing prevailing circumstances, promptly identifying vulnerabilities, prioritizing critical risks, and implementing effective action plans.
Even if one were to compile a definitive list of the top ten metrics deemed essential for tracking, it would only represent a preliminary step, as the importance of each metric hinges on the unique objectives and audiences of a given organization. The true efficacy of these metrics is realized when they are correlated, enabling organizations to glean insights into how one variable influences another. This correlation fosters the development of a dynamic, comprehensive narrative regarding an organization’s security performance.
Challenges in Current Measurement Approaches
During interactions with various security organizations, three prevalent yet ineffective strategies for measuring cybersecurity effectiveness have been identified. Firstly, there exists an excessive reliance on spreadsheets, where practitioners often drown in a deluge of data represented as endless rows and columns. While these spreadsheets are intended to encapsulate an organization’s security posture, they often exacerbate complexity rather than clarify it.
Secondly, many organizations attempt to meld analytics tools with their cybersecurity systems. This integration frequently results in a disconnect; data analysts may not possess the nuanced understanding of security that cybersecurity professionals have, and vice versa. Lastly, organizations sometimes consult the Big Four accounting firms, only to receive another unwieldy spreadsheet devoid of actionable insights.
Each of these approaches highlights a common issue: they fail to provide genuine applicability, leaving security teams without the necessary tools to make informed decisions. The outcome of using these static methods is cumbersome; they require heavy manual input and cannot dynamically respond to the fluid nature of security challenges.
Security leaders recognize the inadequacy of capturing a complex and evolving landscape with tools that are inherently static. To be effective, a more agile approach is required—one that interlinks various measurements of performance, risk, and threats in ways that provide meaningful context.
Experiences shared by customers underscore the immense challenge organizations face in creating meaningful metric automation programs. Notably, they struggle with (1) identifying which data is genuinely significant, (2) ensuring continual data collection and maintenance, and (3) integrating the security context when data analysts primarily manage the data. These hurdles explain why numerous organizations abandon in-house metric initiatives despite substantial investments of time and financial resources.
To harness the full potential of metrics, organizations require real-time data that goes beyond mere static numbers. This data must be flexible, demonstrating both historical trends and adaptability to current priorities. Such a comprehensive approach would enable organizations to identify existing gaps and undertake impactful actions based on prioritized needs.
The Importance of Correlating Metrics
A salient example of how correlated metrics can yield significant advantages lies in vulnerability management. For instance, a vulnerability management system may flag over a thousand endpoints as critical, but determining which to prioritize can be daunting. By cross-referencing vulnerability data with asset management details, organizations can extract valuable insights about the business units to which these endpoints belong.
Enhancing this process further by incorporating identity security information—such as identifying which users are associated with these endpoints, whether they hold administrative privileges, and their access to sensitive data—can further refine vulnerability prioritization. Automated contextual analysis allows teams to focus on vulnerabilities that pose the greatest risk to business operations, ensuring alignment with critical objectives.
This methodology can similarly apply to prioritizing endpoints lacking coverage, identifying unscanned projects, or addressing offboarding discrepancies, all through correlating data from various security tools.
Harnessing Metrics for Enhanced Security Outcomes
The overarching capacity of metrics is their ability to inform prioritization among security initiatives. Moving beyond isolated views of a "top ten metrics" list allows security leaders and teams to discern interrelated patterns throughout the security landscape, resulting in deeper insights, streamlined workflows, and ultimately more impactful security outcomes.
As organizations strive for a comprehensive understanding of their security environments, the innovative integration of various metrics stands to illuminate critical insights that may have previously remained obscured. By fostering an interconnected approach to cybersecurity metrics, companies can not only improve their risk management strategies but also cultivate a proactive security culture.
About the Author
Shirley Salzman is the CEO and Co-Founder of SeeMetrics, an innovative data fabric for risk management that enables security teams to assess performance across people, processes, and technologies. With over a decade’s experience in commercial leadership, she has cultivated a deep understanding of cybersecurity dynamics. Shirley can be contacted through her LinkedIn profile or via the SeeMetrics website.