Making Cybersecurity Metrics Matter to the Business

April 4, 2023 | By Summer Fowler, IANS Faculty

This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Summer Fowler discusses common security metrics reporting challenges and provides best practices to make metrics reporting to the business clear and concise.

Metrics Reporting Solutions from with IANS Faculty member, Summer Fowler 

 Summer Fowler is the senior VP of cybersecurity and IT for Motional, an artificial intelligence company focused on self-driving vehicle technology. She has over 22 years of experience in the cyber and IT space leading the strategy and execution of both IT and cybersecurity teams. She led the technical activities of the successful international acquisition of a 300+ person company in the EU. She is an expert in business continuity and cyber crisis management. Summer currently serves as a cybersecurity expert on the audit committee of a healthcare organization with over $1B in annual revenue. She also advises the board of an international fintech company as the cybersecurity expert. Summer was recently named one of the Top 25 Women Leaders in Cyber Security in 2021 by The Software Report.

1. What challenges do you see in reporting on cybersecurity metrics?  

Summer: There are two major challenges that I have observed in cybersecurity metrics: 

  • Lack of a common metrics framework 
  • Translation of metrics to business outcomes

In many industries there are common taxonomies and frameworks guiding professionals. For example:

  • In the financial industry, there is a profit and loss (P&L) statement with a standardized set of measures including revenue, expenses, cost of sales, gross profit, etc. Even when the templates differ, the general categories are easy to decipher and to align everyone on the pluses and minuses of the financials.
  • In the medical field, metrics not only have a standard set of categories - such as temperature, blood pressure, height, weight - but we have charts indicating “normal” ranges. For example, one can look up the normal body temperature for an infant taken using an oral thermometer (95.8 - 99.3 degrees F) or a rectal thermometer (96.8 - 100.3 degrees F). We use these measures as basic indicators of health. 

Cybersecurity as a discipline, however, has not settled on any standard set of metrics that indicate health or posture. 

A second challenge is that when we do have metrics that we report, it is rare that they are translated to business outcomes. In the financial world, this is relatively straight-forward. Tuning expenses does not guarantee a business outcome, but it is not complicated to discuss how reducing expenses in one area could impact achieving a business goal. If my Body Mass Index (BMI) indicates that I am in an unhealthy range, it is relatively simple to understand how this can impact overall health.

But it is not quite as easy to know what and how to report on many cybersecurity metrics. How many software vulnerabilities are in our environment? Is that too many? Are we patching them quickly enough (or too quickly and wasting money)? How does this help us to achieve our business goals? This often results in very little dialogue in the C-Suite or Boardroom about cybersecurity because the metrics are not clearly aligned to what the organization wants to achieve. 

2. How do we solve metrics reporting challenges? 

Summer: I have two tips that help:

  • As a discipline, the cybersecurity community needs to adopt a taxonomy and a standardized set of “cybersecurity health/posture” metrics. Much like the medical field, this is only a starting point for an overall health diagnosis and plan. If my height, weight, temperature, and blood pressure are all within normal ranges, but I am not feeling well, then there are additional measures such as cholesterol level that could be investigated. Cybersecurity needs to define a set of metrics that we can use as initial indicators of cybersecurity postures. These could include a set of measures against the Center for Internet Security’s Top 6 controls or a few measures under each of the NIST Cybersecurity Frameworks (CSF) functions
  • As leaders within an organization, we need to not only measure our capabilities, but we need to be able to convey them in ways that other leaders and executives can understand. This means first understanding the goals of the organization and then really working to show how the cybersecurity program is linked to achieving these. It is about both outputs and outcomes. 
    • Like a P&L statement, show your work - these are the outputs. Define your SLAs and note where you are achieving them, but then explain why the SLAs may need to change based on organization operations, the threat environment, and/or other changes. 
    • Clearly demonstrate how you are spending your budget - note the residual risks of both where you are applying resources and where you are not applying resources. Even when you have a really solid set of metrics, it is the story behind the metrics that matters most. 

     

     

     

 

Take Our Annual CISO Survey: Get Started

 

 

    3. What are the best practices for metrics reporting? 

    Summer:

    • Understand your organization’s goals and your counterpart’s business goals - Lacking this knowledge, it will be very difficult for your metrics to translate into something meaningful to other leaders.
    • Directly tie your cybersecurity strategy to the organization strategy - For example, if the organization wants to open operations in Mexico City, write your cybersecurity goals (e.g., expanding to new AWS region for high availability) as supporting this organization goal.
    • Determine the standard or framework – What you are using for managing/reporting and link your cybersecurity program and projects to the areas of the standard/framework. For example, if you use the NIST CSF, show that cybersecurity training is a key element of protecting the organization and that EDR capabilities are part of detecting threats and vulnerabilities.
    • Practice storytelling - Be able to convey your metrics as how you are addressing the most critical risks - and what the residual risks are.
    • Financials matter - Be sure that your storytelling includes explaining how you are using current monetary resources and WHY these are the most important places to be spending the money right now.
    • Use anecdotes from the goals of other leaders (discuss this with them first) - Show how your cybersecurity program supports cross-functionally. For example, your enhanced MDM solution will better support field engineers and the marketing team as they operate much of the time on phones and laptops.
    • Don’t report a metric because it is important to you - Report a metric because it is important to the audience with whom you are sharing the metric. 

    About the IANS Faculty 

    Our Faculty are comprised of over 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.

    IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.

    Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


    Access time-saving tools and helpful guides from our Faculty.


    IANS + Artico Search

    Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

    Subscribe to IANS Blog

    Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

    Please provide a business email.