To really understand the value and success of cyber security measures and the respective investments, businesses need to measure and report on agreed-upon metrics.
Organisations and senior leadership are becoming more involved in the management of cyber security risks because of the serious threat these incidents pose to the business. To mitigate the risk, they are making significant investments in all areas of security from devices and appliances to software and end-user security awareness training.
For some organisations, these activities and their associated costs become a material investment. However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments.
To really understand the value and success of the security measures and the respective investments, businesses need to measure and report on agreed-upon metrics. These metrics should communicate clearly to the business owner and board and management, if applicable, whether the cyber and information system security controls and processes are effective and are delivering value.
When developing security metrics organisations should consider the following characteristics.
1. Meaningfulness. There is no point reporting something that no one understands, doesn’t relate to people’s responsibilities and activities, or no one cares about.
2. Accuracy. The metrics must provide the identified security performance information in a format that accurately reports key activities.
3. Genuine. Measurement should be focused on those areas that can be genuinely and reliably reported. It is difficult to have confidence in a metric of breaches stopped if there is no reliable mechanism to capture the number of attempted and successful breaches.
4. Timeliness. Metrics should reflect the current circumstances and processes, not past and old information that loses usefulness and relevancy to management and stakeholders.
5. Predictive. For metrics to realise their true value to an organisation, they should be able to assist with predicting future risks, outcomes, and behaviours.
6.Independent. Metrics are more reliable when they are independently prepared.
Information security management is closely linked to an organisation’s risk-management processes. Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place.
Michael Shatter, Partner – Security & Privacy Services, RSM Australia
