By David Johnson – Director, Solutions Consulting EMEA at Domo
As C-suite executives and business leaders face increasing demands to provide evidence that business assets are adequately safeguarded from the fallout occurring from a potential breach, measuring security effectiveness has become a key performance metric for most enterprises.
Data breaches can have a vast, negative impact on a company. From brand and reputation issues, to operational performance hindrances, or financial positioning, many companies have been exposed to these threats.
Research and root cause analysis of these incidents point to one key area of weakness related to cyber governance: lack of prioritization of security risks from executive management down to the front lines of security controls.
When security risks are not prioritized to the extent other key business risks are, the results are often undesirable for the business. In addition to this, there is a disconnect between what a business considers to be a security risk, versus what security risks are actually present. This then creates an inaccurate picture of risk and its potential (or real) impact on the business.
A successful cyber governance program is not static. It must incorporate continuous monitoring, measurement, and reporting, providing the type of visibility all levels of the business can benefit from.
Measuring the effectiveness of your cybersecurity program
Companies have adopted various strategies to measure the effectiveness of their cybersecurity programs. But as they begin to treat security risks as business risks, one challenge they run into is this: security still being managed as an IT function rather than a business function.
This misalignment heightens the need for security leaders to have visibility over the effectiveness of their security program to confidently answer common questions such as:
- How effective are my security processes and controls?
- How are my investments in security providing the return to protect the business and contribute to the growth of the business?
- How effective is my threat intelligence program in proactively identifying and addressing the security threats to my company?
Having access to real-time data to answer these questions and others not only provides ongoing, evidence-based measurement and reporting, it fosters stronger collaboration between the security leaders, other C-level executives, and the board.
An integral part of a good cyber governance program is being able to quantify cyber risk in financial terms just as you quantify other systemic business risk. When security leaders have the tools and processes to continuously monitor and measure controls, they are able to gather quantitative evidence of security gaps. They can substantiate – with facts – the ability to reduce security risk and improve the company’s overall security posture.
However, measuring security effectiveness in a way that drives positive business decisions is easier said than done.
The challenges of measuring cybersecurity effectiveness—and how to conquer them
The biggest challenge in measuring security effectiveness stems from the disconnect between security team assumptions and reality when it comes to the company’s ability to detect, block, and generate alerts for threats.
Research has shown that, on average, companies detect only 26% of attacks and prevent 33% of them. Even more concerning is the fact that alerts are only generated for 9% of attacks.
This is a clear indication that security information and event management tools (SIEMs) and other tools used for alerting cannot deliver a high level of fidelity to both prioritize and resolve security concerns.
Having access to the right datasets to measure and quantify security risks, and presenting relevant security metrics to the key stakeholders, becomes very important for these companies in order to identify opportunities for improvement and minimize cyber risk across the organization.
Security metrics need to be obvious and illuminate targets, trends, and areas for improvement. A metric that identifies indicators for success using available data that ties back to the company’s risk priorities in a meaningful way is essential to overcoming the challenges of false assumptions by the security teams and misalignment with the company’s priorities.
As companies continue to make investments in security tools, they must also hire and train teams, put processes in place to protect critical assets, and integrate the reporting of key security metrics that align with business objectives.
