How to
Jonathan Crowe
Feb 2016

Cybersecurity Has a Metrics Problem

Photo by Source

punxsutawney_phil.jpg

Working on Cybersecurity Shouldn't Feel Like Groundhog Day

Once a year, he emerges. Pulled from relative solitude and prodded by members of an inner circle to provide them with a forecast for the coming year…

I’m talking, of course, about our fuzzy prognosticating friend, Punxsutawney Phil, who this morning did not see his shadow, which for some reason heralds an early spring. But if that description reminds you of your own annual security planning and reporting process, you’re not alone.

security_metrics_confidence.jpg

Lack of Confidence in Metrics Leads to Reporting Problems

When was the last time you felt confident reporting on your organization's security posture and needs?

According to a Ponemon survey, 54% of IT and security pros aren't convinced the metrics they're tracking adequately convey the true state of their security efforts. (There's no data to reflect how confident Phil feels about his own shadow/no shadow metric, but based on the fact his predictions are incorrect 60% of the time, that doesn't give us much reason to take stock in his reporting.) 

There are various reasons IT and security pros cite for not using more accurate metrics, but the most common is surprising: It simply isn't a top priority.  

Reasons_for_Tracking_Bad_Cybersecurity_Metrics.png

What makes that such a discouraging answer is that without having the right goals and metrics in place you're essentially throwing darts at a dartboard with a blindfold on. You have no hope of being certain your efforts are being focused on the right things and that they are actually yielding positive, meaningful results.  

efficiency_vs_effectiveness.jpg

Before you know it, that can lead to a pattern where you're generating a lot of effort (and potentially burning through a big chunk of budget) without clear, measurable progress to show for it. 

3 Keys to Better Reporting & Breaking Out of the "More Money, Same Problems" Loop

Groundhog-Day.jpg

To avoid getting trapped in your own version of a Groundhog Day time loop you need to do three things:

  • Come to a universal agreement with leadership on your security priorities, goals, and objectives (for help, see our post on getting executive buy-in for security).
  • Identify the most effective metrics to track progress against those goals.
  • Establish a regular cadence for reviewing and reporting on that progress.

That may sound simple, but as the difficulties cited in the Ponemon survey indicate, it's obviously not. Taking a closer look at that list, however, it becomes clear the majority of reporting obstacles are either communication or prioritization issues that can largely be addressed by doing these three deceptively simple things. 

(The two reasons toward the bottom of the list may in fact be tougher nuts to crack, but developing further clarity around your needs and goals can potentially help with those, as well.) 

Cybersecurity_Metrics_Challenges.jpg

The Benefits of Steady, Streamlined Security Reporting

Establishing an effective reporting structure and rhythm does require a healthy amount of work up front, but it's necessary to ensure your future efforts are meaningfully productive and aligned with your needs. As much as possible, keep things simple, and strip out anything in your reporting that doesn't reflect directly on performance against your top objectives and goals.   

Security cannot be approached as a one-and-done activity. As nice as it is to imagine we can simply check off a series of boxes and move on, that’s unfortunately not how it works. Every day, new attacks are discovered and new vulnerabilities exposed. To keep up, you need to adopt an incremental, reflective, and iterative approach that provides you with regular opportunities to learn, adjust, and improve. 

At the end of the day, that's what good reporting is all about.

Feature photo by Alessandro M.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.