Attention CISOs: The Cybersecurity Metrics That Truly Matter

A security professional sitting at a desk reviewing a cybersecurity metrics dashboard on their laptop

Successful business leadership is about effective risk management. And successful risk management starts with having the right data to hand. For the chief information security officer (CISO), this means regularly gathering and communicating cybersecurity metrics that answer board questions in a language that senior leaders understand. And that can identify security gaps which need to be addressed to mitigate risk.

Yet too many security tools are not up to the job. Generating reports can be overly complex. Visibility may be limited to specific areas of the technology environment. And insight is often based on point-in-time snapshots. This is one of the benefits that security leaders gain from adopting Cyber Asset Attack Surface Management (CAASM) solutions. With the unique visibility they have, these tools can provide business-relevant metrics and data across the entire IT environment.

Why Security Metrics Matter

The threat landscape is evolving at a dizzying pace. Adversaries are continuously adapting their tactics, techniques and procedures (TTPs) to circumvent security controls and exploit gaps in protection and visibility. The result is data breaches, service outages and potentially significant financial and reputational damage. These are critical business risks.

Cybersecurity metrics can help by illuminating the effectiveness or otherwise of cybersecurity controls. Ultimately, that should provide the information needed to improve cyber resilience and therefore minimize breaches. This should also help enhance the incident response (IR) process as well as streamline the mean time to contain (MTTC)/ mean time to detect (MTTD) in the event of successful intrusion attempts.

In short, the goal of regularly reporting on security metrics is so that CISOs can:

  • Measure the performance of controls over time, highlighting any gaps that need filling and conveying this in a language that business leaders understand.
  • Validate their security program by communicating improvements in security posture to senior executives and the board.
  • Support compliance with security frameworks and regulations.

Regulatory compliance is a particularly strong driver, with authorities increasingly keen to hold boardrooms to account for deficiencies in their security posture. New SEC rules introduced earlier this year require publicly listed organizations to “describe their processes … for assessing, identifying, and managing material risks from cybersecurity threats.” They also demand that boards describe directors’ “oversight of risks from cybersecurity threats,” among other things.

Meanwhile, the EU’s NIS2 directive will introduce a new set of 10 baseline security requirements for organizations, including:

  • Policies on risk analysis and information security
  • Incident handling
  • Business continuity
  • Supply chain security
  • Basic cyber-hygiene and awareness training
  • Multi-factor authentication
  • Encryption

Key Cybersecurity Metrics to Keep Track of

In this context, every board wants its CISOs to answer a fundamental question: “Are we secure?” The challenge for the CISO is to deliver this information without overwhelming their audience with contextless figures. Do that, and they risk losing the board’s interest rapidly.

In fact, a study from 2022 revealed that 54% of UK and US CISOs think their boards aren’t providing enough funding for critical initiatives. This often happens when senior leadership feels disengaged. Another report found that only half of global IT leaders and 38% of business decision makers believe the C-suite completely understands cyber risk.

So how do CISOs inform the board without losing its interest? Not all metrics matter to business leaders. So, it may be more appropriate to focus on the controls that have the biggest impact on business risk, and how they change over time. As referenced in this recently published paper, co-authored by Noetic advisory board member Freddy Dezeure, these ‘Key Control Indicators’ (KCIs) might include:

  • Percentage of assets in the inventory within policy.
  • Percentage of privileged accounts managed within policy.
  • Percentage of high-risk patches deployed within N hours.
  • Number of known exploited vulnerabilities detected.
  • Percentage of coverage of systems using MFA.
  • Percentage of major cyber incidents with business impact.
  • Percentage of “crown jewels” covered by security monitoring, vulnerability scanning and regular security assessments.

Focusing on high-level controls can also be a useful and succinct way to provide compliance assurance to regulators and auditors. As many global rules, regulations and frameworks today are effectively looking for the same baseline controls, it could even shave time and cost off the compliance process.

How to Deliver Meaningful Cybersecurity Metrics with CAASM

Once the CISO has worked out what cybersecurity metrics they want to collect, the challenge becomes how to ensure data is complete, accurate and current. Unfortunately, existing approaches are often undermined by tools which:

  • Offer only siloed visibility. For example, cloud security metrics tools will not be able to deliver metrics across both cloud and on-premises environments.
  • Do not track the changing state of assets and controls over time.
  • Are saddled with cumbersome and often manual reporting mechanisms.
  • Don’t combine metrics with business context.

CISOs reporting to the board and external auditors need to keep things simple. They also need to keep metrics as relevant as possible to their specific business goals. The Noetic platform provides a comprehensive view of security posture aligned with business context, so that senior leaders can make better informed decisions.

Noetic’s CAASM solution can help by providing users with the following benefits:

  1. Provides 360-degree visibility into all enterprise assets through API integrations with a comprehensive range of third-party tooling and infrastructure. This includes the major cloud platforms, vulnerability management vendors, intrusion detection systems, configuration management databases (CMDBs), endpoint detection and response (EDR) tools, and many more.
  2. Maps technical security posture data on assets (missing EDR agents, MFA not enabled, etc.) together with business context (such as location, business unit, application etc). With this, CISOs can get a broader picture of the security posture across the business aligned to different locations or business services.
  3. Automates detailed, continuously updated reporting across security hygiene and posture requirements. Fully customizable dashboards can be mapped to specific compliance requirements, or to different business areas. All relevant insights can be automatically shared with relevant stakeholders via email, Slack or other communications tools.

Progressive cybersecurity leaders require next-generation cyber asset intelligence. Learn more about how Noetic is empowering CISOs to reduce today’s risk and fuel tomorrow’s growth: Cyber Asset Management Solutions for CISOs.