Last week I participated in a joint event with KPMG hosted by the New York Stock Exchange Governance Services. The roundtable topic was Information Security Metrics programs – every security manager’s favorite. Why? Because security is so squishy. What metrics could effectively capture the state of something that changes on a regular basis, has no uniformity and can take a left turn just when you think you know where you are going? With today’s complex and frankly dangerous technology issues, security is a regular topic that reaches the board level. All companies represented at the table reported regular board level reporting on information security. Naturally the discussion started with this challenge of coming up with some measurable, repeatable metrics that provide a view into information security and are tangible and meaningful for the executives.
The discussion was vibrant and meandered over many different aspects of a metrics program. A certain level of maturity must be attained generally to measure and monitor metrics. The typical maturity journey around building a program requires processes to be defined, documented and then monitored and measured to drive metrics. However, many companies begin gathering and reporting metrics early on to drive performance improvements. So which comes first – maturity or metrics? Can an ‘immature’ security program sustain a metrics program? A metric only really gives insight when measured over time. Measuring something once or twice really doesn’t give an indication of true risk. But waiting until a metric becomes a true risk indicator may take too long and there could be value in measuring metrics in the short term such as a “surge” in specific risks or internal initiatives.
We also talked about a variety of other topics including the growing conversation CISOs/InfoSec Executives are having regarding the financial impact of both cyber risk and the investment into security technology. Financial metrics related to security spend and investment can factor into your strategies if you are able to bridge the gap between technology speak and the business context related to security risk. Reporting metrics should drive better decisions. Performance optimization – for the business and not just security - is the ultimate output.
Identifying what the key metrics are that help inform on possible incoming risks or on the efficiency and effectiveness of the security program is no easy feat. The trick is to find metrics that trigger management interest. Something that informs and educates was a key factor especially on those executives who are just learning to navigate the information security universe. One of the critical points is to view metrics reporting as storytelling – shaping the perceptions and knowledge of management while building a clearer and clearer picture of what is happening in both the industry and internal efforts.