top of page
  • Writer's picturei-confidential

Cyber Metrics Journey

This article originally featured in Professional Security


Ian Harragan

Director at i-confidential


Every CISO (chief information security officer) needs cyber security metrics.


A fundamental responsibility for any CISO is to report on the security status of their organisation to the board and other key stakeholders. CISOs and their team must provide information on what the organisation is doing to manage the threats and risks it faces, as well as the effectiveness of any transformation activity being carried out to improve its security position.


Producing the right information is more challenging than is often recognised. CISOs must ensure the data used is accurate, accessible, and current, because this is the only way they can confidently present status updates to senior leaders. Acquiring the necessary data on an organisation’s overall security posture and presenting it successfully to a senior, non-technical audience, will invariably involve tackling a number of problems, from data coverage, to sources, analysis, and consistency.


Reaching the desired position is often best achieved through the implementation of a cyber security metrics programme. A successful programme will enable the production of information that is accurate and can be effectively used to provide informed updates, while also identifying any security red flags. Furthermore, metrics are an effective way to establish security improvement goals for an organisation and track ongoing progress towards them.


Given all the benefits metrics programmes offer organisations, how should they get started? The first step in any programme is to define the metrics the organisation requires. The key here is not to focus on what can be measured, but on what should be measured. Easily collected data is not enough. Organisations need a complete view of security to deliver effective metrics.


From a CISO standpoint, the types of data they use for reporting need to address the following:


  • How are we performing in protecting our sensitive information, preventing breaches, and detecting cyber attacks?

  • How effectively are we delivering cyber security improvements, demonstrating risk reduction and a return on investment (ROI)?

  • Can we make informed, objective decisions that support the future prioritisation of budget and resources, highlighting areas that require the greatest focus?


To properly answer these questions, organisations will have to track numerous security efforts. When it comes to protecting data and preventing breaches, this will focus on the technical defences an organisation has implemented, the policies it has in place to detect, respond to, and mitigate attacks, as well as the efficacy of staff training on security. When it comes to cyber security ROI, CISOs need to understand security spending in comparison to prevented breaches. Once these metrics have been defined, it’s a good idea to establish if the organisation is already capturing them in some form within its current reporting capabilities.


Any data that is tracking an organisation’s security efforts can be fed into the metrics programme. For instance, if the organisation is tracking the percentage of staff receiving security training, or the inventorying of network assets, this can all be used to monitor progress and risks. A longer-term goal is for the data to be fed into a centralised platform, so CISOs don’t need to navigate multiple tools and reports to communicate security updates.


Instead, all security efforts and risks should be monitored on a dashboard that is accessible and readily digestible. A typical way to evaluate an organisation against its key metrics is to adopt a ‘red, amber, green’, or RAG status. This, coupled with combining or ‘aggregating’ measures to effectively summarise large data sets enables the CISO to identify issues quickly and more easily track security improvement progress.


It is crucial that CISOs can take what is often a mass of opaque, confusing, and ‘grey’ metrics data and convert it into compelling, actionable insights. Armed with this output, they can fully understand the security status of their organisation and deliver informed updates to the board. Once organisations have implemented an initial metrics programme, the goal should be to expand it to ensure coverage across all key assets. As they mature, organisations should also begin looking at tools to automate metrics production, providing continuous, real-time monitoring of security efforts, while removing manual input and reducing the risks of errors.


Cyber metrics programmes offer an effective way to measure an organisation’s cyber risk, while also providing a bird’s eye view of its security status. This information can then be used by CISOs to accurately report on security to senior stakeholders and the board. They can also prioritise weaknesses that, when addressed, will improve their defence against attacks.


bottom of page