Cybersecurity Posture Metrics Matter More Than Ever
Metrics and modern cybersecurity are intrinsically linked. CISOs use metrics to determine priorities, inform decisions, support investments, track progress and maintain accountability. At this point, if you are a CISO, you are likely a data-driven CISO. Are you comfortable with your choice of metrics?
The challenge is that cybersecurity covers a broad range of areas, and each area has specific type of data, and different metrics. The purpose of this paper is to focus on the specific area of cybersecurity posture management and key metrics relevant to this area.
Cybersecurity posture management is the continuous process of managing an organization’s cyber risk by quantifying and reducing the likelihood and impact of a successful breach. Cybersecurity posture management is essentially managing cyber risk. Cybersecurity posture management typically includes three practices:
- Asset Inventory: Managing the organization’s digital assets
- Vulnerability Management: Discovering and managing risk items such as software vulnerabilities (Common Vulnerabilities and Exposures, or CVEs), misconfigurations and weak/reused passwords
- Cyber Risk Quantification: Quantifying and reporting on the identified cyber risks in dollars.
Reporting on cybersecurity posture metrics to their executive leadership team in an easy-to-understand way is increasingly important for CISOs. This comes in large part because focus in the C-suite on cybersecurity as a risk area has rapidly risen over the past few years. Recent surveys of CEOs, CFOs and CIOs have consistently shown that cybersecurity is one of their top concerns. In fact, it’s often ranked #1 or #2, right alongside digital transformation.
Similarly, cybersecurity reporting is increasingly a board issue. Regulatory requirements like the proposed SEC rule changes in the United States, and the recently passed SLACIP Act in Australia, make board involvement in overseeing cybersecurity posture mandatory. As a result, a growing number of CISOs are compiling security metrics appropriate for reporting to the board.
