CISOs, or Chief Information Security Officers, have traditionally relied heavily on metrics and spreadsheets to gauge the progress of their security measures. These metrics typically focused on specific systems or single indicators such as vulnerabilities identified, percentage of vulnerabilities addressed, and coverage of software and hardware asset inventory. However, the NIST Cybersecurity Framework (CSF) 2.0 emphasized that using these metrics alone may not provide a complete or accurate representation of security outcomes.
While siloed metrics do have their place in cybersecurity, CISOs are now recognizing the limitations of relying solely on these metrics. They are realizing that a more holistic approach, which includes a deeper understanding of security processes, is essential for building greater security agility and improving teams’ responsiveness and effectiveness.
In the past, CISOs primarily received siloed reports in spreadsheets from various tools, which were then manually aggregated for a comprehensive view. As visualization tools and API integrations became more common, CISOs began to embrace the use of dashboards to complement their spreadsheets. These dashboards offered a visually appealing way to present metrics and communicate security stories effectively.
While these metrics and dashboards provided a sense of control and accountability, CISOs are now recognizing the need to go beyond narrow metrics and delve into security processes. The recent cyber attacks by Chinese and Russian hackers targeting top US government officials and Microsoft executives showcased the importance of understanding and addressing security processes alongside metrics.
By integrating process compliance metrics into their security measures, CISOs can gain a more comprehensive view of their organization’s security posture. Process metrics provide insight into how teams perform their work across multiple systems and attributes, breaking down silos and aligning more closely with the outcomes-driven approach advocated by CSF 2.0.
While narrow metrics can offer valuable insights into day-to-day security operations, they have limitations in capturing the complexity of security processes and outcomes. By prioritizing process-driven security, CISOs can achieve a more comprehensive understanding of how security measures work together, promote true accountability, and foster adaptability and innovation in response to emerging threats.
Building a process-driven security culture requires analyzing and instrumenting security processes, providing guidance rather than rigid rules, and empowering human experts to lead the way in designing and adapting processes. By capturing processes with compound metrics that span systems and behaviors, security teams can focus on outcomes and become more adaptable in addressing cybersecurity challenges.
In conclusion, CISOs are recognizing the need to evolve beyond traditional reliance on narrow metrics and dashboards towards a more process-driven approach to cybersecurity. By integrating process metrics and prioritizing outcomes over simple metrics, CISOs can enhance their organization’s security posture and effectively respond to the dynamic threat landscape.