After a year of highly publicized cyber-attacks, many organizations have placed new or heightened emphasis on their security programs and investments. But how can you tell if you're getting a return on those investments or making any progress if you don't know where you stand today or where you plan to go? In the webcast, “Security Metrics: How are you Measuring Up?”, Maranda Cigna, Manager of Strategic Services at Rapid7, details some best practice recommendations for how to meaningfully measure and share your security program's progress, while ensuring it resonates with management. Read on to learn the top 3 takeaways from this informative webcast:
1. Tie to the Business Goals! – The best thing you can do to ensure your metrics have an impact is make sure they're relevant to the business. Reporting on the rising and falling number of vulnerabilities you may see is relatively meaningless. Rather than providing enterprise wide company goals based on your security findings, divide by business lines and the teams responsible. If you link your metrics to business goals and teams, this will allow numbers and measurements to resonate with company leaders and management and help to highlight which teams struggle with remediation so you know where to focus efforts towards improvement.You'll need a clear call to action for various teams to drive performance improvement and progress overall. Measures that communicate program successes and failures are critical to building a mature and well understood program that has a positive impact on the business.
2. Make Metrics Quantifiable and Objective – The metrics you report should be a quantifiable number or percentage. Using objective measurements will make it much easier to observe and display trending. If you're measuring regularly and providing metrics consistently, you'll be able to see monthly/quarterly/yearly trends and get visibility into whether or not decisions that have been made and controls that have been implemented are working and paying off. When you can show objective data to support your goals and give visibility into your accomplishments, teams become more committed to improvement and tend to be more diligent and willing to make adjustments. Quantify effectiveness and present it in an easy to digest manner, and your program will be better understood. It will become easier to get more people, processes, technology, support, and budget involved, and management can celebrate your success.
3. Communicate with leadership meaningfully and regularly – Metrics are only helpful if created consistently. Repeatable processes should be performed, preferably through automation, and measured. The process that feeds you the data needs to be stable, otherwise you'll be running down rabbit holes trying to account for fluctuations and changes. Report to leadership regularly and on a consistent schedule, ideally in person, so you can make sure your message lands. Know which metrics to highlight for various aspects of the business – ie. Need to demonstrate compliance? Share metrics like the length of time to implement security patches, and a reduction in audit findings (whether done internally or externally). Be able to demonstrate where you have issues and need support. Good metrics can help bridge the communication gap with executive management by facilitating conversations that tell a story leadership can understand and use to make informed decisions, react to issues, and help remove road blocks.
Watch the full webinar on-demand to go in-depth on security metrics best practices and what to do to make sure your findings resonate with management.