Protiviti recently published a blog post summarizing the discussions from our Cyber Summit that took place in Chicago in December 2017. The session included speakers from a variety of companies as well as Doug Hubbard, author of the book How to Measure Anything in Cybersecurity Risk. I wasn’t able to attend the session, but there was two things from the blog post that I thought I would highlight. First:
It’s critical first of all to understand the goals of any board, and then to develop the content that addresses the board’s concerns in representing its shareholders.
This is where most IT functions fail when developing metrics. They assume that the metrics that are meaningful to an IT leader are relevant to other stakeholders. Instead, IT organizations should partner with their stakeholders to gain an understanding of their objectives and what is meaningful to the individuals receiving the metrics. Otherwise, the metrics will be ignored because they aren’t relevant. The second point I’d like to highlight is:
Many companies struggle to select those measures or metrics that are actually meaningful and all too often end up presenting large tables of numbers or metrics just because they can be extracted from the tool.
Many IT functions will pull their metrics from the tools at hand without considering their relevant or how to present the information. Tools like Tableau and Power BI can be used to visualize the information in a way that better resonates with stakeholders. Similarly, the metrics themselves can be customized to the stakeholders’ objectives. For example, you could report:
- The number of attacks prevented because of successful patch management rather than the number of patches applied or attacks prevented
- The organization’s savings by preventing cybersecurity attacks
If you’re struggling to define relevant information security metrics for your stakeholders, I suggest you read the full article on The Protiviti View
Comments are closed.