Dark room with laptops

Using security metrics to achieve cyber resilience (Part Two in the series)

David Levine, Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc

Summary

The second in a two-part series on security metrics to achieve cyber resilience.

Read time: 3 minutes

In the first of this two-part series (you can read part one here), we considered emerging channels for cyber attacks, the importance of cyber resilience, and how taking a risk-based approach to cybersecurity gives you an edge over cybercriminals.

In this second part of the series, we look at:

(Cyber) security metrics matter

Cybersecurity threats are always evolving. Fortunately, so are the processes and technology used to address and measure them. To understand how your security functions over time, you need to track cybersecurity metrics. These metrics can also demonstrate if your sensitive information is being protected and can communicate how well you are aligned with and supporting the business, its mission and goals.

Putting these metrics in place makes it possible to regularly evaluate the effectiveness of the safety measures in which you have invested. Measurement also helps to demonstrate to the business how cybersecurity efforts are saving the organization money by preventing and/or containing costly cyberattacks. And, in some industries, measurement reporting is a fiduciary or regulatory duty - having a clear process in place saves time, money, and reduces anxiety for those whose job it is to protect your data and systems.

Which cybersecurity metrics should you choose?

There is no single rule for choosing how to track or measure cybersecurity. Every company quantifies and assesses risk in its own way based on situational variables, such as: 

  • Required protocols and certifications

  • Company culture

  • Industry

  • Business model

  • Global region

  • Budget variances

  • Individual personalities 

The risk-based approach to cybersecurity is customizable and enables you to tailor cybersecurity programs to specific requirements and operational vulnerabilities that are unique to your needs.

Examples of useful metrics to track include:

  • Vulnerability management – how many devices on your network are fully patched?

  • Unidentified devices on internal networks – are employees unknowingly introducing malware?

  • Security incidents – simply tracking numbers doesn’t add much value; however, trending over time can provide insights to your program’s effectiveness and areas that may need more attention. Significant or unique events should communicated, as well.  

  • Time to detect, resolve and contain – how long does it take to complete each critical phase?

From a business perspective, also consider communicating:

  • How many deals you helped close or enabled.

  • Ongoing or completed projects that enabled/supported key business initiatives.

Another related benefit to the risk-based approach involves how it separately measures both the risk reduction efforts you have made and the actual reduction in risk. Traditional practices measure collective effectiveness based on program completion. Although a single metric, measuring this way doesn't tell the entire story of your effort – or your risk.

Too often, we make decisions based on conflicting metrics. By clearly linking efforts or action taken to actual risk reduction, we can make business decisions that weigh impact more effectively. This provides the flexibility to adjust for risk reduction at any level, wherever risk exists.

Regardless of the metric, it has to be meaningful to the person or group to whom its being presented. Additionally, you should consider that you may have different tiers of metrics depending on the audience. More technical detailed metrics may be needed for some audiences and, in other cases, higher level summary metrics may be appropriate.

A risk-based approach helps to make business decisions that weigh impact more effectively by clearly linking inputs and outputs.

The evolving role of IT security leadership

Today a company’s most senior security resource is commonly involved in both quarterly and annual planning, inputs and results. Conversely, the organization's full executive leadership team is aware of cyber threats and vulnerabilities and invested in the decision-making, buying processes and prevention plans that inform its entire cybersecurity ecosystem—not just the CIO or CSO.

While having more stakeholders in the mix may sound counterintuitive to agility and efficiency, you'll realize many benefits to having the full team’s involvement. It provides alignment among departments and team members all driving toward the same goal—reducing risk.

This trend will continue as security planning continues to move from the back office to the front and security leaders become trusted advisors and partners to the business. 

Action to take for cyber security success

If an approach to cybersecurity is informed by fear, uncertainty and doubt, its runway for success will be short; stakeholders will lose their patience; and faith and trust will be lost. To stay vigilant, you must:

  • know and address existing and emerging channels for cyberattack;

  • familiarize yourself with security metrics and determine which ones are most meaningful to you; 

  • employ a risk-based approach to address the most high-risk vulnerabilities; 

  • educate your whole company about cybersecurity; 

  • and give IT security a seat at the table. 

To tackle the most impactful risks to your business, you must move beyond compliance and prioritize your highest threats. This comprehensive approach offers the greatest cyber resilience and ultimately, it will pay big dividends.

Are you focused on IT security?

Make IT security a core priority at all levels

About the Author

GI-Art-David-Levine-2017.jpg

David Levine

Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc.

David Levine is Vice President of Corporate and Information Security, CSO CISM, Ricoh USA, Inc. In this role, he oversees cyber and physical security, trade compliance, access management, eDiscovery and litigation support, select compliance functions and is routinely engaged in customer discussions on risk and security. He also chairs Ricoh’s security advisory council and leads the company’s global security team.

Articles by David Levine

Part One: A risk-based approach to cybersecurity

Part One: A risk-based approach to cybersecurity

This is Part One of a series of the benefits of a risk-based approach to cybersecurity, how to measure success and how to make it work for you.

Data security breaches aren't only digital

Data security breaches aren't only digital

When building an information security plan, the physical security of devices and documents is a crucial piece of your data protection plan.

Recommended for you

Part One: A risk-based approach to cybersecurity
Part One: A risk-based approach to cybersecurityArticles

Part One: A risk-based approach to cybersecurity

This is Part One of a series of the benefits of a risk-based approach to cybersecurity, how to measure success and how to make it work for you.

Software company reduces paper, automates records
Software company reduces paper, automates recordsCase Studies

Software company reduces paper, automates records

Learn how Ricoh helped a leading software company automate its document workflow and implement electronic records management.

Cybersecurity and automation in K-12
Cybersecurity and automation in K-12Webinars

Cybersecurity and automation in K-12

In this webinar, we hear firsthand how a school district stopped an active phishing attack and created secured digital document processes, improving communication with the community.