The Forrester Wave™: Cybersecurity Risk Ratings Platforms, Q2 2024
6 Cybersecurity Metrics Every CISO Should Monitor
Cybersecurity monitoring is not a one-and-done, as attack surfaces and the methods used by malicious actors are constantly changing. By tracking the right metrics, Chief Information Security Officers (CISOs) can monitor the effectiveness of their processes and controls overtime, evaluate team performance, and show return on investment (ROI) of security spending at the board level.
Not all metrics, however, are of equal worth. Security and business leaders can easily become inundated with data points that lack context and fail to meaningfully communicate risk.
We came up with a list of metrics that can help CISOs prioritize and maximize their efforts, and conduct more effective security reporting at the board level, so they can drive value and growth within their organizations.
1. Third-party risk
Organizations that are security-first recognize that third-party relationships drive virtually all areas of business. Many organizations need to be able to onboard new vendors quickly to stay on the cutting edge of innovation. In order to support growth within their organizations, security teams need to be able to keep pace with business demands. Both infosec as well as non-security teams—such as legal and procurement—require quick access to third-party risk metrics to perform timely due diligence and avoid costly bottlenecks in vendor onboarding and acquisition processes.
Security ratings platforms provide valuable insight throughout the lifespan of vendor engagements. With the immediate visibility gained through security ratings, companies can follow a best-in-class approach to vendor selection and steer toward those that demonstrate a strong commitment to cybersecurity. Security teams can then continuously monitor vendor security posture after the initial due diligence process and receive automatic alerts when important changes take place.
2. Benchmarking
While raw data is important to tracking cybersecurity performance, it doesn’t tell the whole story. Running down exhaustive lists of event data and unpatched vulnerabilities won’t necessarily reveal the impact of those data points or the likelihood of an adverse event. Like all areas of business performance, cybersecurity data needs to be considered within the context of industry peers and best practices. Security ratings allow companies to evaluate their own cyber health as well as that of their competitors, which helps organizations identify security gaps comparatively, and align their practices and spending with industry trends. With native board-level summary reports, CISOs can easily pull detailed and contextualized information that’s presentable and accessible to non-technical stakeholders, allowing them to better guide the decision-making process.
3. Training
Security awareness training helps employees learn how to identify phishing emails and social engineering attacks, set strong passwords and safely navigate the internet and social media. Training, however, is only effective if completed, and is often put off by employees and teams managing busy schedules. Monitoring the percentage of employees who have completed cybersecurity training helps provide security leaders with an indication of the level of risk posed by insider threats and ensure that their workforce is up to date on the current cyber risk and compliance landscape.
4. Incident response
Evaluating the speed of incident detection and response is an important metric and key performance indicator (KPI) for security teams. The quicker an issue is addressed, the more easily the damage can be contained. Assessing the performance of security and incident response teams helps security and business leaders allocate appropriate funds and human resources to manage security events, and optimize their technology and processes to drive continued improvement. Accuracy is equally important, as false positives and negatives reduce teams’ confidence and divert attention from other potential threats.
5. Personnel
In addition to many of the quantitative performance metrics often discussed by security professionals, CISOs should consider the qualitative. In high-stakes professions with ever-increasing workloads, such as cybersecurity, steps should be taken to limit the risk of burnout in order to keep teams happy and functioning at their best—which reduces the risk of potentially costly human error. Ensuring appropriate staffing levels and time allocation is critical. In addition to monitoring common employee satisfaction indicators such as low turnover and high productivity and engagement, managers can visit websites where current and former employees rate their experience at their companies to better understand what makes a workplace thrive.
Return on investment (ROI)
It’s important for CISOs to help their boards of directors guide security spending in a way that is consistent with corporate goals and risk appetite. When deciding how much to spend to protect digital assets, business leaders need to understand the value of those assets and the likelihood of sustaining a data breach. Security ratings are an excellent indicator of the relative risk of sustaining a breach, which helps boards make informed, risk-based decisions on spending. Security ratings also track changes over time, allowing CISOs to show the progress they’ve made in improving their company’s security posture—which shows the value of previous investments and helps justify future funding for projects.
How security ratings can help
As the threat landscape continues to change, cybersecurity metrics help organizations ensure that their security controls are effective over time. Security ratings allow CISOs to automatically and continuously monitor their performance—and their vendors’ performance—across a multitude of cyber risk factors and communicate risk in universally understood terms, which drives productive, fact-based conversations across teams and business units, and at the board level.