When it comes to measuring the performance of their information security programs, many CISOs stumble – not because of lack of effort, but because their aim is off the mark. CISOs need information that provides a clear picture of the threat landscape and potential operational and financial impacts. Having an effective cyber metrics program in place is fundamental to managing business risk and undertaking risk mitigation efforts. It can enable a CISO to shift the organization’s cybersecurity program from a controls orientation to one that addresses risk and impact on the organization’s bottom line.
Getting effective measures in place is an accomplishable effort, but it does require some forethought regarding what to measure and, more importantly, why. CISOs can start by asking themselves a few questions. First, how are other executives measuring and communicating their programs to the executives and board of directors? Second, are my metrics actionable, and how do I create a core step of metrics that incorporate risk, cost, value, and business context? Finally, how do I tell my intended story using as few metrics as possible? Simplicity and…
