Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

6 Unique InfoSec Metrics CISOs Should Track in 2020

You might not find these measurements on a standard cybersecurity department checklist. But they can help evaluate risks you haven't even considered yet.

Joan Goodchild, Contributing Writer

January 10, 2020

12 Min Read
Dark Reading logo in a gray background | Dark Reading

Figure 1:(image by Brad Nixon, via Adobe Stock) 
A regular audience with executive management and the board is part of the CISO role now. And security leaders know they need to bring measurable information to the conversation to explain and justify their performance and spending. Metrics are no longer optional in security management, and if risk leaders aren't tracking elements such as mean time to detect and respond as well as attack frequency, they are leaving out a valuable aspect of a holistic security program.
But what else should we be measuring? Are there new, different, or emerging measurements that address other concerns?
Recently, we brought you the worst metrics used in security. This time, we've asked security professionals what they think are overlooked or newly emerging metrics that can help make the case for security in new ways. 
(Continued on next page)(image by Brad Nixon, via Adobe Stock)

A regular audience with executive management and the board is part of the CISO role now. And security leaders know they need to bring measurable information to the conversation to explain and justify their performance and spending. Metrics are no longer optional in security management, and if risk leaders aren't tracking elements such as mean time to detect and respond as well as attack frequency, they are leaving out a valuable aspect of a holistic security program.

But what else should we be measuring? Are there new, different, or emerging measurements that address other concerns?

Recently, we brought you the worst metrics used in security. This time, we've asked security professionals what they think are overlooked or newly emerging metrics that can help make the case for security in new ways. 

Figure 2:(image by didesign, via Adobe Stock) 
Security Team Proficiency
As Hank Thomas, CEO at Strategic Cyber Ventures, a Washington, DC-based venture capital firm that invests in cybersecurity companies, says:
'Many have found themselves in a position where they are spread so thin across their security stack that duplication of effort and smooth collaboration amongst their tools and teams has become highly complex. They don't think they can take the time to train or test their teams — often it is trial by fire and on-the-job training. This can and should be measured through red-team exercises and other war games that stress teams and their abilities to operate in complex security environments.
'The military does this all the time to prepare for war with much success. Tools and teams that don't operate to standard go back for retraining, and the process is constantly repeating itself. Great metrics come out of teams that spend time doing efforts like these.'
(Continued on next page)(image by didesign, via Adobe Stock)

Security Team Proficiency

As Hank Thomas, CEO at Strategic Cyber Ventures, a Washington, DC-based venture capital firm that invests in cybersecurity companies, says:

"Many have found themselves in a position where they are spread so thin across their security stack that duplication of effort and smooth collaboration amongst their tools and teams has become highly complex. They don't think they can take the time to train or test their teams — often it is trial by fire and on-the-job training. This can and should be measured through red-team exercises and other war games that stress teams and their abilities to operate in complex security environments.

"The military does this all the time to prepare for war with much success. Tools and teams that don't operate to standard go back for retraining, and the process is constantly repeating itself. Great metrics come out of teams that spend time doing efforts like these."

Figure 3:(image by Julia, via Adobe Stock) 
Security Team Satisfaction
Burnout is a well-documented hazard of the high-stress, high-stakes career of infosec. But what if there were ways to measure how staff members are doing in order to keep them happy?
Says Jason Albuquerque, CISO and CIO at Carousel Industries: 'I would strongly encourage my CISO peers to seriously to look at personnel metrics. I think a lot about my staff and guiding them along their career paths, how we allocate their time to fully leverage our resources and not burn them out. We also set strategic KPIs around innovation and upstream communication.'
(Continued on next page)(image by Julia, via Adobe Stock)

Security Team Satisfaction

Burnout is a well-documented hazard of the high-stress, high-stakes career of infosec. But what if there were ways to measure how staff members are doing in order to keep them happy?

Says Jason Albuquerque, CISO and CIO at Carousel Industries: "I would strongly encourage my CISO peers to seriously to look at personnel metrics. I think a lot about my staff and guiding them along their career paths, how we allocate their time to fully leverage our resources and not burn them out. We also set strategic KPIs around innovation and upstream communication."

Figure 4:(image by REDPIXEL, via Adobe Stock) 
Support of the Business Mission
Albuquerque also advises finding ways to measure how well security's efforts match up with the objectives of the organization as a whole.
'We look at how we build competitive advantage, how we create new opportunities in areas such as managed services, how many opportunities our security team is involved with, how many conversations we have with clients around security services, how we have enabled sales or impacted the opportunity pipeline,' he says. 'By presenting data that demonstrates how the infosec team is successfully supporting the business in both areas, it accentuates the value delivered on a daily basis.'
(Continued on next page)(image by REDPIXEL, via Adobe Stock)

Support of the Business Mission

Albuquerque also advises finding ways to measure how well security's efforts match up with the objectives of the organization as a whole.

"We look at how we build competitive advantage, how we create new opportunities in areas such as managed services, how many opportunities our security team is involved with, how many conversations we have with clients around security services, how we have enabled sales or impacted the opportunity pipeline," he says. "By presenting data that demonstrates how the infosec team is successfully supporting the business in both areas, it accentuates the value delivered on a daily basis."

Figure 6:(image by jamdesign, via Adobe Stock) 
Potential Cost of Security Incident
No one enjoys thinking about it, but it's better to be prepared with numbers on how much a data breach or security incident could cost the organization than to be totally shocked should one occur. It is also useful to understand how much you may have to fork over for noncompliance with laws in an ever-growing regulation landscape.
Henry Harrison, CTO of Garrison, says, 'If CISOs want to engage with strategic business risks, the metrics they should be focusing on are 'How costly could an incident potentially be for us?' and 'How much do we think it would cost an attacker to do that to us?' The latter is what CISOs should really be asking their red team. But it's rarely what they are asking, because they know they won't like the answer.'
As Jason Lau, CISO of Crypto.com, says: 'Compare fines resulting from failing to comply with local regulation against other companies in the same industry. With the growing number of regulations around the world, from GDPR to CCPA, showing to management that (hopefully) you don't have any fines helps to justify the direction and success of the security and privacy strategy that is being implemented.
(Continued on next page)(image by jamdesign, via Adobe Stock)

Perceived Privileged Users Versus Actual Privileged Users

Aaron Turner, president and chief security officer of HighSide, says: "One metric that I've been working with some of our consulting customers on is the enumeration of privileged users and user groups and critical intellectual property."

For example, he says: "Let's say that an enterprise has a server with a large amount of intellectual property stored on it. Begin by enumerating all of the IT operations staff who have access to the server storing critical IP. Sometimes this becomes difficult in large-scale enterprise environments, especially where nested groups are used to allow different IT operations teams to have access to the server for operations and maintenance purposes."

The end result, says Turner, should be a clear understanding of who has access to critical IP assets, and how that needs to be modified for better protection going forward.

Figure 5:(image by BillionPhotos.com, via Adobe Stock) 
Perceived Privileged Users Versus Actual Privileged Users
Aaron Turner, president and chief security officer of HighSide, says: 'One metric that I've been working with some of our consulting customers on is the enumeration of privileged users and user groups and critical intellectual property.'
For example, he says: 'Let's say that an enterprise has a server with a large amount of intellectual property stored on it. Begin by enumerating all of the IT operations staff who have access to the server storing critical IP. Sometimes this becomes difficult in large-scale enterprise environments, especially where nested groups are used to allow different IT operations teams to have access to the server for operations and maintenance purposes.'
The end result, says Turner, should be a clear understanding of who has access to critical IP assets, and how that needs to be modified for better protection going forward.
(Continued on next page)(image by BillionPhotos.com, via Adobe Stock)

Potential Cost of Security Incident

No one enjoys thinking about it, but it's better to be prepared with numbers on how much a data breach or security incident could cost the organization than to be totally shocked should one occur. It is also useful to understand how much you may have to fork over for noncompliance with laws in an ever-growing regulation landscape.

Henry Harrison, CTO of Garrison, says, "If CISOs want to engage with strategic business risks, the metrics they should be focusing on are 'How costly could an incident potentially be for us?' and 'How much do we think it would cost an attacker to do that to us?' The latter is what CISOs should really be asking their red team. But it's rarely what they are asking, because they know they won't like the answer."

As Jason Lau, CISO of Crypto.com, says: "Compare fines resulting from failing to comply with local regulation against other companies in the same industry. With the growing number of regulations around the world, from GDPR to CCPA, showing to management that (hopefully) you don't have any fines helps to justify the direction and success of the security and privacy strategy that is being implemented.

Figure 7:(image by Artur, via Adobe Stock) 
Return on Investment
ROI is nothing new, but it still might not have made it into your Information Security department. (You might have even done your very best to keep it out.)
Nevertheless, Roger Hale, CISO-in-Residence at YL Ventures, says 'I prefer to provide metrics showing the value of the past investments, as well as where there is still risk to be addressed. Focus areas include data showing our Cyber Insurance levels, external internet risk scores, the executive summary of our annual third-party risk assessment, with agreed-upon mitigation/remediation activity, and our security program coverage map broken out by CSF categories of: Identify or (Visibility), Protection, Detection, Response and Recover. This approach provides the board with information they need to assure that the company is investing in the right areas of security and privacy and helps them to accept the residual risk.'
George Wrenn, CEO of CyberSaint Security and former CSO of Schneider Electric has a mathemathical equation he uses for ROI measurement, which looks like this: (Mitigation coefficient X (Likelihood X $ Impact) - Cost of Completion)/Cost of Completion.
'The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST's methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie.'
Related Content:

- Ask the Experts: Which Security Metrics Should I Use?
- The 20 Worst Metrics in Cybersecurity
- 6 CISO New Year's Resolutions for 2020

 (image by Artur, via Adobe Stock)

Return on Investment

ROI is nothing new, but it still might not have made it into your Information Security department. (You might have even done your very best to keep it out.)

Nevertheless, Roger Hale, CISO-in-Residence at YL Ventures, says "I prefer to provide metrics showing the value of the past investments, as well as where there is still risk to be addressed. Focus areas include data showing our Cyber Insurance levels, external internet risk scores, the executive summary of our annual third-party risk assessment, with agreed-upon mitigation/remediation activity, and our security program coverage map broken out by CSF categories of: Identify or (Visibility), Protection, Detection, Response and Recover. This approach provides the board with information they need to assure that the company is investing in the right areas of security and privacy and helps them to accept the residual risk."

George Wrenn, CEO of CyberSaint Security and former CSO of Schneider Electric has a mathemathical equation he uses for ROI measurement, which looks like this: (Mitigation coefficient X (Likelihood X $ Impact) - Cost of Completion)/Cost of Completion.

"The mitigation coefficient, in this case, can range, but I typically use .9 which assumes that any control or security solution mitigates 90% of negative effects. I have seen this adjusted for more conservative estimates, though. The likelihood, using NIST's methodology, is broken down into Very Low (0.1), Low (0.25), Medium (0.5), High (0.75), Very High (1.0). This equation is designed to be applied on a per control basis. The value of that is being able to see where gaps exist, and where the greatest opportunities for investment lie."

Related Content:

 

About the Author

Joan Goodchild

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights