Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Summer Fowler discusses common security metrics reporting
challenges and provides best practices to make metrics reporting to the business clear and concise.
Summer Fowler is the senior VP of cybersecurity and IT for Motional, an artificial intelligence company focused on self-driving vehicle technology. She has over 22
years of experience in the cyber and IT space leading the strategy and execution of both IT and cybersecurity teams. She led the technical activities of the successful international acquisition of a 300+ person company in the EU. She is an expert
in business continuity and cyber crisis management. Summer currently serves as a cybersecurity expert on the audit committee of a healthcare organization with over $1B in annual revenue. She also advises the board of an international fintech company
as the cybersecurity expert. Summer was recently named one of the Top 25 Women Leaders in Cyber Security in 2021 by The Software Report.
Summer: There are two major challenges that I have observed in cybersecurity metrics:
In many industries there are common taxonomies and frameworks guiding professionals. For example:
Cybersecurity as a discipline, however, has not settled on any standard set of metrics that indicate health or posture.
A second challenge is that when we do have metrics that we report, it is rare that they are translated to business outcomes. In the financial world, this is relatively straight-forward. Tuning expenses does not guarantee a business outcome, but it is
not complicated to discuss how reducing expenses in one area could impact achieving a business goal. If my Body Mass Index (BMI) indicates that I am in an unhealthy range, it is relatively simple to understand how this can impact overall health.
But it is not quite as easy to know what and how to report on many cybersecurity metrics. How many software vulnerabilities are in our environment? Is that too many? Are we patching them quickly enough (or too quickly and wasting money)? How does this
help us to achieve our business goals? This often results in very little dialogue in the C-Suite or Boardroom about cybersecurity because the metrics are not clearly aligned to what the organization wants to achieve.
Summer: I have two tips that help:
Take Our Annual CISO Survey: Get Started
Our Faculty are comprised of over 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.