kras99 -

Guest Post

How to create security metrics business leaders care about

Security metrics must be clear, actionable and resonate with business leadership. Learn how to create metrics that business leaders care about and will act upon.

In the words of Rear Admiral Grace Murray Hopper: "One accurate measurement is worth a thousand expert opinions."

When asked for a progress report toward business initiatives, too many professionals fall into the trap of sharing what data they have and using it to support what they think is true. Opinions and assumptions not based in defensible data linked to business goals provide minimal value.

As security leaders, it is essential we speak the language of business leadership to align security priorities with business outcomes. Business-aligned, metric-based reporting is a key part of that language.

Metrics-based reporting is about more than just the numbers, however. Metrics don't exist just for metrics' sake. They are designed to achieve something. Good metrics do at least one of three things: They inform, they educate or they change behavior. Great metrics do two of these things, and the best metrics do all three.

Security leaders should take these five steps to design and present metrics that are clear, actionable and resonate with business leadership, driving better and more informed security decisions for the enterprise.

1. Clearly connect to business outcomes

A common metric in many security programs is the number of missing patches across the enterprise. While it's important that systems are patched, such a metric is essentially meaningless because it comes with zero business context or alignment with organizational goals. What kind of patches are missing? What kinds of systems need to be patched? How old are the missing patches?

Each security metric must clearly align with a business goal. In the patching example, a stronger metric would communicate missing critical patches by business function. If data shows the ERP system -- which is critical to business priorities -- is not well patched, that provides the impetus for security leaders to act.

2. Provide appropriate context

When presenting data to an executive audience, the numbers aren't as important as the why. Context is the bridge between action and value. Providing context helps connect data with business needs. When security leaders ask for more budget or suggest a process change, business decision-makers have a clearer picture of why that request is important.

There are different types of context, including technical, time, location, risk and business context. Returning to the example of missing critical patches for the ERP system, when presenting this data to executive leadership, questions to consider for additional context include the following:

  • What is the recommended time frame in which these systems should be patched? How long will it take to roll out patches?
  • What risks do these missing patches pose to the business? What is the likelihood of these risks becoming reality?
  • How are business goals impacted by missing patches?

3. Match the message to the audience

Every business audience has a different goal and, therefore, cares about different metrics and messages. When speaking to the CFO, metrics should be presented in the context of the business's financials and bottom line. When presenting to sales leadership, the message should look at the impact for customers and prospects. Also, consider the audience's familiarity with the data and issues at hand. While the CIO may understand security acronyms and jargon, the board of directors may need those terms spelled out.

Matching the message to the audience is not just about presentation. In some cases, you may need to create different sets of metrics for each stakeholder group. Evaluate what your audience cares about most and what decisions they are making every day to select and frame metrics accordingly.

4. Report on alignment with targets

Another common metric in security programs is average time to patch. However, this metric doesn't tell business leadership anything about the impact to the organization. If average time to patch is eight days, does that mean the organization is at risk, or is that a relatively good outcome?

Metrics can be improved by reporting on alignment with targets. In the patching example, show the comparison between average time to patch and target patch times across regions or business units. This may reveal that the North American team is on track to meet its patch time targets, but the team in Europe is significantly behind on its time to patch. This context tells business leadership that more security resources are needed to help the European team meet its goals and reduce the organization's risk posture.

5. Build strong narratives and tell stories

Using a narrative can help security leaders tie the above steps to together and develop a story that matters to business leadership. Think about telling your metrics story using the following framework:

We did/should do <action> in this <time frame> to address <technical issue> in order to <limit/prevent/slow down> this <risk>, which would impact this <business goal>.

Here's an example of this in practice:

We patched our billing servers within target (95%) within three days of a patch becoming available, which supports our ability to maintain revenue flow and operational reliance and stay within risk tolerance as defined by the board.

Rather than just throwing numbers at your audience, connect the dots for them. Telling a story helps put metrics into context and prompts further understanding or action from business stakeholders. For security leaders, this can be the difference between being just another technical expert and having a seat at the executive table.

About the author
Jeffrey Wheatman is vice president, advisory at Gartner Inc., where he advises clients on a wide range of cybersecurity and IT risk management issues. Wheatman and other Gartner analysts will provide the latest research and advice for security and risk management leaders at the
Gartner Security & Risk Management Summit 2021, taking place virtually Nov. 16-18 in the Americas.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing