Speaking the language of the Board with Outcome-Driven Cybersecurity Metrics

The relentless rise of cyberattacks and their devastating consequences have created a communication chasm between the CISO and the boardroom. Executives need a clear understanding of the effectiveness of their cybersecurity investments, but traditional security metrics often fail to paint a complete picture. This lack of transparency does not engender trust and hinders the allocation of resources crucial for building robust controls.

Enter outcome-driven metrics (ODMs). This reporting method in cybersecurity clarifies communication between technical teams and business leaders. ODMs shift the focus from activity-based metrics (e.g., number of firewalls deployed, tickets closed, incidents avoided) to a more impactful approach, measuring the actual protection levels achieved.

Why Traditional Metrics Fall Short?

For years, security professionals have relied on metrics that track activities and processes. While valuable for internal monitoring, these metrics often fail to resonate with board members who lack a deep understanding of cybersecurity intricacies. Metrics like the number of vulnerabilities identified or security patches deployed don't directly translate to business value or speak to the risk appetite. Executives need to understand:

• Is our security posture improving?
• Are we mitigating the risks that matter most to the organization?
• How effectively are our security investments protecting our critical assets?
• Is our security budget at the correct level?

Traditional metrics leave these questions unanswered, hindering effective communication and resource allocation.

Outcome-Driven Metrics defined

According to Gartner, “Outcome-driven metrics are measures of operational and business outcomes that provide a direct line of sight back to the outcomes on which they depend, and with outcomes that are dependent on them. Outcome-driven metrics can be used to measure and report on the outcomes of an investment, create situational awareness to manage operational risk and measure the readiness of technology to support business outcomes. In cybersecurity, they measure the levels of protection created by different control classes.” [1]

The Power of Outcome-Driven Metrics

ODMs bridge this gap by establishing a clear connection between cybersecurity investments and the resulting protection levels. According to Gartner[2], ODMs offer several key advantages:

• Alignment with Business Goals: ODMs are explicitly tied to an organization's risk tolerance and overall business objectives. This ensures that security investments directly address the most critical threats.
• Boardroom Communication: ODMs are designed to be easily understood by non-technical executives. They use clear, concise language that conveys the effectiveness of security measures in protecting the organization's critical data and systems.
• Defensible Investment Strategy: ODMs provide a data-driven justification for cybersecurity spending. By demonstrating the impact of investments on protection levels, ODMs help build a strong case for resource allocation.
• Continuous Improvement: ODMs enable ongoing monitoring and evaluation of security effectiveness. This allows for adjustments to strategies and resource allocation based on real-world outcomes.

Examples of Outcome-Driven Metrics

Several key metrics can be used to measure cybersecurity outcomes:

• Mean Time to Detect (MTTD): This metric tracks the average time it takes to identify a security incident. A lower MTTD indicates a more proactive security posture.
• Mean Time to Respond (MTTR): This metric measures the average time it takes to contain and remediate a security incident. A faster MTTR minimizes the potential damage from an attack.
• Dwell Time: This metric represents the duration an attacker remains undetected within a system. A shorter dwell time signifies a more effective monitoring and response capability.
• Phishing Click-Through Rate: This metric tracks the percentage of employees who click on malicious phishing emails. A lower click-through rate indicates a more robust security awareness program.

Implementing Outcome-Driven Metrics

Step 1: Aligning with Business Goals

The foundation of any successful ODM strategy lies in alignment with business objectives. Here's what this entails:

• Risk Tolerance Assessment: Clearly define your organization's risk appetite. What level of disruption or financial loss is the Board comfortable tolerating? Understanding this helps prioritize security investments.
• Critical Asset Identification: Pinpoint your most valuable assets – data, systems, and infrastructure. These are the crown jewels of the company.

Step 2: Selecting the Right Metrics

With business goals and critical assets identified, choose the right set of ODMs. Here are some key considerations:

• Relevance: The chosen metrics should directly measure progress towards achieving your security goals. Don't get bogged down in vanity metrics that don't translate to real-world protection.
• Actionability: The metrics should provide actionable insights. They should tell you not just if you're failing, but also why and where you need to improve.
• Balance: Strive for a balanced set of metrics that capture different aspects of security effectiveness.

Some examples have been discussed above such as Mean Time to Detect (MTTD), Mean Time to Respond (MTTR) and Dwell Time.

Step 3: Establishing Baselines

Before you can measure improvement, a baseline is required. Analyse the company’s current security posture to understand the starting point for each chosen ODM. This will allow the progress to be tracked over time and demonstrate the effectiveness of the controls.

Step 4: Communication is Key

Regularly report ODM data to the boardroom. The goal is clear and concise communication, avoiding technical jargon and focus on presenting the information in a way that resonates with non-technical executives. Here are some best practices:

• Visualize Your Data: Utilize charts and graphs to make complex data easily digestible.
• Focus on Trends: Highlight trends in your ODMs over time. This allows the board to see the impact of security investments.
• Actionable Insights: Don't just report the data, explain what it means and propose actionable steps based on the insights gained.

Conclusion

By adopting ODMs, organizations can bridge the communication gap between cybersecurity teams and the boardroom. This fosters trust, facilitates informed decision-making, and ensures that cybersecurity investments deliver the protection levels necessary to safeguard the organization's success in today's ever-evolving threat landscape.

[1] https://www.gartner.com/en/information-technology/glossary/outcome-driven-metrics , accessed 14/06/2024

[2] https://www.gartner.com/en/documents/5138231 , accessed 14/06/2024