As security issues dominate, use the right plans and metrics to thrive

Hear from the CIO, CTO and other C-level and senior executives on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more


This article was provided by Joe Partlow, CTO of ReliaQuest

The end of the year is traditionally a time of scarcity for organizations to complete their preparations for the coming year. New budgets are allocated, and this leads the department to approach previous year’s metrics, results, and challenges to justify additional spending for next year. In 2021, cybersecurity was under the spotlight like never before, with epidemics leading to a 600% increase in cybercrime. Because of this, organizations are forced to address cyber security with direct orders from top CEOs and board members.

However, of all the metrics that department leaders analyze, the most difficult aspect to track is security progress and effectiveness. In fact, measuring this progress remains the primary hurdle for organizations seeking to implement an IT security risk management program, so it is imperative that cyber leaders understand how to effectively communicate this to top management.

As companies begin implementing plans for 2022, it is important for safety to first meet with their direct reports to discuss which metrics to track, so that the foundation for measurement is clearly established. Once that is settled, both parties will need to constantly revise and align these metrics so that the plan does not become obsolete.

Creating the baseline for next year

When it comes to reporting metrics in an organization, it is important for all departments to communicate with their direct reports at least three to four months before the reporting stage. This is a crucial step in ensuring that the department lead is well prepared and can determine which results will resonate best with the board. From the sales lens, the conversation is fairly straightforward. How many sales leads do you get per month? How many of these are converted into successful sales? How good are you at talking to potential customers on the phone?

However, with a cybersecurity lens, tracking effectiveness and displaying ROI on a C-suit and on board is more complex. There is no monthly quota to meet, and many team leaders struggle with ways to display performance.

Deciding which metrics to track depends on many factors, such as the size of your organization, how many customers you have, or where your company is headquartered. That said, there are many aspects of an organization’s security posture that should be tracked for businesses of any size.

Align on matrix for security

The most important skills a security professional can develop is to tell a complex story to a non-technical partner અને and 63% of security managers believe that board members do not understand the value of new security technologies, this may be storytelling. Challenge

The easiest way to communicate this is to proceed with the matrix. While this will change depending on the organization, look at the metrics below that all security team leaders should be aware of, and the strategies for communicating that progress to the board.

  • Level of readiness: This metric should be constantly monitored as it shows how prepared the company is for impending breach. It is one of the most difficult to communicate with the board as there is no hard and fast number that determines how much the organization is “ready”. However, encouraging employees to keep up-to-date and patch corporate-network devices is an efficient step and metric that you can communicate and track to keep the organization secure.
  • Effectiveness of the tool: This is important because as a security leader you are responsible for providing an understanding of what tools and services the security team should invest in. Many services exist that will give you an average third-party vendor rating snapshot, which can be constantly checked and submitted to the board. This rating is an effective way to show progress to a non-technical employee and justify the budget required for a particular security structure.
  • Violation attempts or security incidents: When it is difficult to discuss, this is a necessary criterion for communicating. You can show how many times attackers not only tried to attack the corporate network, but also how many were detected and blocked. Showing a decrease in the number of these incidents occurring year-on-year will be a key measure for board members to determine the success of their security programs and where changes may be needed.
  • In the meantime, to detect, resolve and contain attacks: These three should be tracked separately, but analyzing these metrics together can provide new insights into where certain parts of the incident response plan may be lacking. These criteria provide significant value to board members when you are trying to persuade them to invest more resources in security tools that will make the company’s response to potential cyber attacks as quick and efficient as possible.
  • Trends and Mapping Risks for Business: It is important to demonstrate that the security program addresses the most significant risks to the business in order to obtain purchase and support from the board. Mapping critical business risks to the security controls and technology you are implementing is the best way to show ROI along with results trends.

All good plans must be constantly revisited and adjusted, and this is especially true for cyber security. Cybercriminals promise to develop a dangerous landscape, constantly using new methods of attack. Security leaders and organizations should think about this not only during the planning and reporting season, but throughout the year. Without fresh response plans and solid security metrics, sophisticated attackers will leave your organization behind.

Security leaders will be able to reduce some of the most common mistakes and oversight bodies if they take the time to determine how best to measure progress and therefore effectively communicate their needs to the C-Suite and the board.

If Partlo is the CTO of ReliaQuest

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including tech people working on data, can share data-related insights and innovations.

If you would like to read about the latest ideas and latest information, best practices and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing to your own article!

Read more from DataDecisionMakers

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *