How to effectively use metrics for security optimization
September 10, 2020
September 10, 2020
Many industries are embracing the digital environment. This trend has been further driven by the COVID-19 pandemic. Because of this, more companies are exploring new technologies, new connections and new ways of working. But as digitization and connectivity expand, so do attack surfaces. An initial analysis of the situation suggests companies are rising to the challenge. On average, 10.9 percent of an organization’s IT budget is dedicated to cybersecurity programs and operations. These significantly improve the basics of cybersecurity. And they have led to a 27 percent drop in cybersecurity breaches.
Cyber hygiene is improving. But tangible benefits from cybersecurity investments are failing to materialize.
<<< Start >>>
“Sixty-nine percent of security executives believe that the cost of staying ahead in the cyber arms race is unsustainable.”
<<< End >>>
In most organizations, this cost has seen double digit growth. And the importance of accurate viewing and reporting has increased too. Fortunately, most board members today understand the cybersecurity risks their organizations face.
<<< Start >>>
“To overcome cybersecurity challenges, institutions across industries must drop the common perception of the cybersecurity department as a pure cost center.”
<<< End >>>
They must reconcile the department’s value with tangible outcomes and quantifiable risk reduction. This activity becomes even more essential in group organizations. Often, the overall risk is faced by the group itself but the organization’s IT landscape may be scattered and uneven across entities.
The damage and costs of cyber breaches have been heavily covered by news organizations in recent years. And the global business community rightfully regards cybersecurity risks as one of the biggest risks facing business and society today. In light of this, most organizations are seeking cyber resilience. Safeguarding business continuity and resiliency in operations has made cybersecurity an integral part of business strategies. The increase in CISOs and CSOs nominations to lead cybersecurity programs and security operations is further evidence of this growing trend. And so is the 10+ percent of most IT budgets that is dedicated to such initiatives.
The scale, sustainability and results of such investments are highly dependent on the individual organization and their strategy. However, our research has found that leaders can sustain or decrease the overall security cost while maintaining the overall security posture. To achieve stellar results, leaders must focus on the right security capabilities. They must also establish a reporting structure that covers security ambitions and performance.
By employing the right metrics, leaders can tailor the message for the audience. They can create a common language for security. And they can engage in meaningful discussions with stakeholders across the board. It’s a good idea to enlarge the scope of security discussions from security practitioners to executives and board members. Doing so enables leaders to create a platform on which the security program can align with the business outlook. This paves the way for better performance in a dynamic environment. It will also result in additional cost reductions while preserving an acceptable level of residual cyber risk.
The majority of organizations already have an ambitious security program. Typically, these start with a traditional maturity assessment and ambition setting. Each organization defines a set of capabilities based on their industry standard and a set of minimal objectives. Unfortunately, this approach falls short when it comes to the operationalization of the various capabilities. Achieving a certain maturity level in a category doesn’t prove the effectiveness of controls. As a result, the organization will face residual risk.
Additionally, security teams are routinely overwhelmed by data sources. These sources come from tools, risk registries, external benchmarking, and so on. The metrics used by CISOs often directly relate to the IT landscape. Consequently, the link to the business strategy will not be as straightforward as it should be. For example, we can easily know the number of vulnerabilities present in our environment with relative CVSS scores. But deriving the actual risk they pose to business operations is another story.
Lastly, the cybersecurity field can still be a bit ambiguous at times. Certain terms may be interpreted differently by each stakeholder. This can occur even is there is a common understanding within the security sector in regard to terms such as threats, risks, vulnerabilities, integrity, resilience, etc. It is likely system admins, product owners, application developers and business leaders will all have a different understanding of certain terms. This misinterpretation reinforces the need for two things. First, a common understanding via awareness. Second, tailored reports with meaningful metrics for the audience. These reports must be presented in terms that are commonly agreed upon by all audience members.
A dual Top-Down and Bottom-Up approach is necessary to create cyber reporting structures. This will ensure reports are relevant to leaders across the board and security practitioners along the hierarchical ladder. The approach must be designed to establish a fit-for-purpose cybermetrics catalog and consensus on the mode and medium. The Top-Down aspect of the approach will be centered around the company’s strategy. It provides the foundation on which the bridge between security performance and business outcomes can be reinforced. The Bottom-Up element is centered around a co-creative journey with security practitioners from all capabilities. It brings cyber performance reporting in line with objectives from an operational and risk perspective. Marrying together the strategical and operational perspective creates reporting structures that enable focus and higher performance.
Strategic priorities change over time. Threat actors become more diverse and sophisticated. And the internal IT landscape evolves in line with business and technical needs. Cybersecurity reporting sits at the intersection of highly dynamic cornerstones. The reporting structure must remain a north star for improved security performance and ambition. To ensure this happens, it should be rooted in a governance structure that continuously assesses the relevancy of underlying indicators and fills the gaps with new ones.
Over time, the reporting structure’s success will increase the demand for cyber reporting. This demand may exceed the reporting team’s capacity. In response, the reporting team should transition from a fixed scope basis to a cyber reporting center of excellence. The center should leverage scalable and automated data collection architecture plus impactful visualizations. This provides the reporting structure with the additional flexibility needed to support the integration of new stakeholders, governance bodies and initiatives. Such flexibility will become the bedrock for a companywide culture of security. And it infuses security across an ever-increasing number of security initiatives.
The cybersecurity market is evolving fast. The rapid adoption and deployment of newer technologies and better support of IT strategies is a priority for many companies. Most organizations want to accelerate the development of their cybersecurity capabilities and transform into a cybersecurity leader. To do this, they must be able to measure the cybersecurity department’s performance accurately. They must also build a communication vehicle across the organization. This will greatly contribute to the correct adoption of security standards and will reduce cybersecurity risks. And it will help business stakeholders to feel more confident about their security investments.
This article has been co-written by Jonas Van De Wygaert.