No one wants to show up to an important meeting empty-handed. But with so many analytics right at their fingertips, how can CSOs pick the right numbers to reflect their work? Here are three imperative security metrics to have in your back-pocket when speaking in front of your board.

When it comes to measuring cybersecurity success, those less steeped in security metrics often boil the whole thing down to one question: Has your organization been hacked, or hasn’t it?

This puts CSOs in a difficult position because breaches do happen, despite the best-laid defenses. Moreover, just because an organization hasn’t succumbed to a data breach, doesn’t necessarily mean they have the appropriate defenses in place.

To prevent this all-too-common oversimplification of cyber security metrics, it’s important that CSOs educate leadership on appropriate success criteria for their security programs. But in an increasingly data-saturated world, what are the core security metrics that CSOs should present when communicating the state of security at their organization?

Focus on outcomes over posture

Many executive leaders struggle to prioritize things they can’t measure or quantify. This is why, for CSOs, identifying and agreeing upon security metrics is so important. Typically, in security there are two types of security metrics you want to measure: compliance and operational. Compliance is, as always, a crucial component of an organization’s security posture. But if disaster strikes, it’s not compliance that you’ll need to report on: It’s a granular view of your operations.

To make their case and answer their leadership’s tough questions about their cybersecurity operations, CSOs should focus on measurable outcomes over posture. The frequency at which CSOs run patches won’t be of interest around the boardroom table. Instead, your leadership will want to see figures for the high-level markers of success that arise when threats are detected.

While there’s no shortage of metrics that CSOs can track, there are three that are critical to monitor so they can report back to the board in a meaningful way when incidents occur: time to detection, time to remediation, and financial position concerning IT’s security budget.

Time to detection (TTD)

This is often the first thing executives worry about, and it should be a no-brainer when CSOs are establishing metrics to watch. How much time passed between when the incident first occurred and when the threat was actually discovered? On average, the time for discovery is around 150 days—not spectacular, and certainly enough time for real damage to be dealt.

In the public sector, however, TTD is even higher: It can take up to a year to identify threats. Stats like this tend to kick-start some alarms among executives, so CSOs should make them aware of the industry standards to avoid panic and a potential rush to the wrong action.

It’s important to remember that less-than-timely threat detection is not solely the fault of IT. More often, it results from a complex set of factors, including an insufficient budget and a lack of appropriate, dedicated resources. Educating leadership about these factors can prompt discussions about increasing security spend, so CSOs should be confident and transparent when explaining their time to detection numbers.

Time to remediation (TTR)

With time to detection as the first crucial metric, it follows that TTR should be the second. Once a CSO has discovered a breach, how long does it take their incident response team to resolve the problem and remove it from their system? This is a stat that should be measured in hours, not days. If it takes days, something in the response pipeline is wrong, and the process needs to be immediately reevaluated.

In addition to tracking TTR, CSOs should focus on improving the efficiency of their team’s response. When their security stack is set up to allow for replication of procedure through automation, decreased response time will follow. CSOs should streamline incident response as much as possible, making sure that when threats with particular signatures are detected, they can be expelled from the system in an efficient and consistent way.

The financial side

The final metric should surprise no one: Your leadership wants the numbers on your financial position. While there is a wide range of reportable statistics related to budget, remember that the goal when presenting to the higher-ups is to make a succinct point about cybersecurity impact and outcomes. With that in mind, there are two financial statistics CSOs should absolutely have ready when speaking in front of decision makers.

First, there’s the percent of your total IT budget that is specifically spent on security. Illustrating how much (or how little) the IT team has to work with in terms of security will help put that work in context. It can sometimes be difficult for non-technical audiences to understand that security only makes up a portion of the total technology budget. They may conflate IT with cybersecurity, assuming the response team has far more resources than they actually do.

CSOs should also bring with them the number of events they have detected, divided by their security budget for that period. By providing an estimated cost for detecting singular events, CSOs can own a measure of efficiency, demonstrating the correlation between security spend and overall cost of detection. This type of measurement presents a great way for CSOs to demonstrate economy of scale, which is crucial during budget talks with your leadership.

Come prepared

When asked to account for breaches or to justify their budget, CSOs can’t afford to show up empty-handed. They need to demonstrate a keen eye for efficiency, growth and success. In order to do that with any degree of reliability, they need appropriate metrics.

The security metrics discussed above are just a starting point. It’s crucial that all CSOs find the numbers that best demonstrate their capabilities and work, and that support their organization’s mission. But by establishing and keeping to these basic metrics for success, they can be sure they are well-prepared when it comes to discussing key indicators of success with leadership.


Written by Gregory Kushto, vice president of sales engineering at Force 3. This article was originally published by CSOonline.com.


Related Blog Posts

See All Blogs

Keeping Your Agency Secure in the Cloud

Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily. It’s a situation that doesn’t change after organizations adopt…

GCN: Securing Data in the Cloud Requires Planning, Constant Vigilance

Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.”  How do they move legacy systems to the cloud? How do they choose the…

NextGov: It’s Time to Tackle the Problem of Unapproved Cloud Apps to Keep your Agency Secure

It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts…

GCN: Why Blockchain Belongs in Government

Anyone with a finger on the pulse of the latest cybersecurity trends has probably noticed an increasing number of contributions to the blockchain conversation. The dialogue around blockchain, while loud, clear and growing, has been largely undirected for the past…

Federal Times: Can Industry Bridge the Government Cyber Skills Gap?

Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address…

CSO: Getting the Most out of Your Security Budget

There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce. Security…

NextGov: The Time to Automate Security is Now

Cybersecurity threats are constantly evolving. Unfortunately, federal IT teams often find themselves low on resources, which means being proactive to combat them is a pipe dream. So how can leadership focus on strengthening their agency’s security posture when they spend…

CSO: Ways to Improve Your Security Team’s Response Time

When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated…

3 Ways to Unleash the Power of Your Next-Generation Firewall

We more or less abandoned pagers more than 15 years ago. Fax machines have gone from ubiquity to near obsolescence. And floppy disks? Many of the most recent generation of tech users have never even held—let alone inserted—one. And yet,…

Cisco Live 2018: Vendor Opens Management Console to Partners

In this article for TechTarget, Force 3's VP of Client Solutions Jason Parry weighs in on the new opportunities arising from Cisco DNA Center. In Cisco's latest nod to software, the company has opened its Cisco DNA Center to developers,…

NextGov: How to Integrate TIC Security with the Federal Cloud-First Mandate

When the Trusted Internet Connections (TIC) initiative was first introduced more than a decade ago, the goal was to improve security in government IT systems by limiting the number of individual external network connections to the internet. Before implementing TIC security…

Preventing Ransomware Attacks the Right Way

Ransomware attacks continue to be a major threat with no sign of slowing down. Here are some lessons organizations can learn from federal agencies to better prevent them. While ransomware is hardly a new threat, it’s far from being obsolete.…

Anomaly Detection: Stop Threats Before They Hit Your Network

In today’s IT environment, endpoint monitoring is fairly standard procedure. Most organizations have at least some sort of system in place allowing them to collect network monitor firewalls and collect network usage data to for network anomaly detection. But, by…

5 Reasons Why Vulnerability Management Is No Longer Optional

For agencies determined to create the most effective network security strategy possible, vulnerability management is no longer optional—it’s a necessity.  If there’s anything we’ve learned in recent years, it’s that cyber threats just keep coming. Thwart one and a new…

Best Practices for Thwarting Insider Threats

Testing the excerpt override field.

Dark Reading: 3 Tips to Keep Cybersecurity Front & Center

In today’s environment, a focus on cybersecurity isn’t a luxury. It’s a necessity, and making sure that focus is achieved starts with the company’s culture. For IT departments — especially in large organizations — daily operations are complex, multifaceted, and…

IoT & The Intelligent Edge: Defending Outside The Firewall

The Internet of Things, though still evolving, has pushed its way into the workplace. The result? CSOs are working overtime to keep up. What’s the protocol for these connected devices, and how do they fit into the existing security infrastructure?…

GCN: The Hidden Challenges of Federal IT Modernization

In the next three years, an estimated $3 billion worth of federal IT equipment will reach end-of-life status, according to former U.S. Federal CIO Tony Scott. It’s an intimidating number, and one that indicates just how far-reaching the need is…

Stealthwatch vs. Insider Threats

In an evermore threatening cybersecurity landscape, how can organizations protect themselves from one of the greatest security risks of all: The Insider Threat. Did you know? 66% of cyber attacks in 2015 were carried out by insiders. 74% of organizations…

Insider threats: 4 vulnerabilities you’re missing

Here are four insider threat vulnerabilities that are undervalued and what we can do about them.

NextGov: How Endpoint Security Helps Secure Humans

Humans: We’re impulsive, we’re fallible, we make bad decisions, and sometimes we do so on purpose. And yet, when it comes to cybersecurity, we too often focus on securing the network, without fully considering the role of the actual network…

Beyond Prevention: Cisco’s Next-Generation Endpoint Security

When it comes to endpoint security, Advanced Malware Protection is critical. The only way to defeat today’s security threats is to address them holistically across the full attack continuum—before, during and after an attack. The Cisco approach of continuous endpoint…

Endpoint Security is Critical for Malware Protection

A layered defense strategy has long been a core tenet of information security. But with cyber threats rising and exploits growing more diverse, it’s now more critical than ever that IT security teams incorporate a range of detection and remediation…

Greg Kushto: Keeping former employees off agency networks

With the buyouts and early retirements occurring these days, some agencies may be parting ways with a fair number of employees. If that’s the case at your agency, you’ll want to make sure that once those employees separate, they’re no…

User Awareness Solidifies Endpoint Security

"With solid solutions in place, a virus or piece of malware has to navigate a complex series of obstacles before getting anywhere near your network. But without user awareness, none of the above will ever be enough."  Pete Burke, security and…

Stopping Modern Malware Takes More Than Antivirus

  Imagine you own a mansion full of priceless antiques, high-end appliances and expensive jewelry, on a highly trafficked street. While the majority of passersby simply want to get from point A to point B, you realize that a few…

Holy Threat Intelligence, AMPman! We Need Endpoint Security!

It started in 1971, with a relatively harmless virus called Creeper. Creeper was quickly defeated with a rival program called reaper, which simply deleted the virus: Case closed. But in the years that followed, malware (and the hackers who wield…

GCN: Building a Better Backup

For public sector employees who work in national security, emergency response or disease control, data access can literally mean life or death. In the event of data loss, the consequences can be substantial, even when the immediate implications seem less…

Dark Reading: 3 Tips for Securely Managing Turnover

Don't let the process spiral into organizational chaos. Here are steps you can take to keep your company safe. Sometimes it's mutual, other times it's not. Either way, it's inevitable: employees — entry-level and executive alike — come and go.…

Security Magazine: The State of Converged Security

"It’s really just a matter of time before most companies consider convergence," writes Security Magazine reporter Diane Ritchey. But, she continues, before any enterprise can realize the potential gains – like cost savings and efficiency – it must sort out…

How can we help your agency achieve its mission?

Maximize your IT investments. Learn more about solutions and services from Force 3.