One of the top benefits of measuring the effectiveness and performance of cybersecurity programs is that it enables CISOs and other information security executives to demonstrate to the C-suite and to the board how the organization’s cybersecurity measures are performing, where there are gaps, along with identifying opportunities for increasing investments as-needed.

“If my audience is the CEO, she or he doesn’t necessarily care about the technicalities. What they do want is something more high-level, such as how we are tracking against our objectives and how our investments are tracking,” said Roota Almeida, Head of Information Security, Delta Dental of New Jersey and Connecticut.

Almeida said security metrics the C-suite is interested in include:

  • How effectively the organization is mitigating threats
  • The types of threats being detected and blocked in a period of time
  • The dollar amount of the monetary losses that were prevented

According to the 2016 Cybersecurity Trend Report conducted by Ponemon Institute for HPE, the average cost of a data breach per day was $21,155.

Almeida said board members are most interested in comparisons that measure a company’s cybersecurity readiness with companies in the same industry along with similar-sized companies in other industries. Such metrics include comparisons between how much each company is investing in different types of cybersecurity measures as well as the threats and risks faced by each company.

Skipping non-repeatable metrics

Almeida said she tends to avoid security metrics that are non-repeatable. “If they’re not tangible, it just doesn’t make sense.”

“A good tangible and repeatable metric might include measuring the number of malicious emails that reached employees and the number of employees that are opening or not opening or are sending the emails to IT for review,” said Almeida.

“Don’t just measure things because you can,” said Almeida. “You measure things because you need results.”

To help align information security metrics with enterprise risk metrics, Almeida and her team measure key performance indicators (KPIs) at an enterprise level. She and her team also measure KPIs based on the goals of the company.

Almeida mentions a few techniques to share security metrics with any C-suite and board of directors:

  1. At a minimum, provide a quarterly security update or a corporate security health report to the Board, even if it is via an electronic document.
  2. Once or twice a year, present security updates to the Board, showing them what’s going on and discussing the corresponding metrics.

The key, explained Almeida, is presenting the right metrics to the right audience. “If you give the right metrics to the wrong audience, it’s not going to be of any value to them.”