One of the most challenging executive tasks for CISOs is quantifying the success and the value of the cybersecurity function.

Indeed, security leaders and their organizations have used a myriad of metrics over the years. Yet, many executives and board members have complained that those measures failed to provide them with adequate insight or understanding of how well the security department is performing, how it’s improving, and where it’s falling short.

“Too much technical jargon is being presented to the chief executive and the board. CISOs are still telling the board about critical vulnerabilities and the number of patches, but the board doesn’t understand that because there’s not any proper context provided,” says Jarrett Kolthoff, president and CEO of security firm SpearTip.

He adds: “Those numbers might be great for the CISO, but the CISO needs to work [on developing metrics] that offer context so the board understands risk and how much investment in security is needed.”

Cybersecurity experts, including Kolthoff, said there’s no one metric that can work for all CISOs to demonstrate how well their security efforts are working and whether they’re improving over time. But there are some metrics, or the right combination of measures and narrative, that are more useful than others.

Security metrics that matter to the business

Curtis Simpson, CISO of the tech firm Armis and former CISO of Sysco Foods, believes metrics are more important than ever, considering the increasingly high stakes of getting security right and the growing board oversight in this space.



Source link

Write a comment:
*

Your email address will not be published.