How can we redefine the role of metrics in cybersecurity to better serve all stakeholders, and how might this new approach influence decision-making, workflows, and overall security posture within an organization?
In the expansive realm of cybersecurity, metrics are integral in informing decisions and shaping growth trajectories. As we venture deeper into the connection between combatting cyber threats and business outcomes, we must understand who these metrics serve and their impact on different stakeholders. This becomes especially crucial as metrics often become the language used to bridge the communication gap between various tiers of an organization — from security teams to top executives.
During a recent discussion with Forrester analysts Allie Mellen and Jeff Pollard, the significance of metrics in many facets of the business became evident. These metrics, mean-time-to-detection (MTTD) and mean-time-to-response (MTTR), among others, can offer valuable insights into an organization's cybersecurity posture. However, this leads us to a critical reflection — who exactly is manufacturing these metrics, and who are the intended recipients? The information chain that typically flows from security teams to managers to the board of directors begs the question of the metrics' transparency, objectivity, and the inherent dynamics at play.
An intriguing concept introduced during our discussion was 'self-metrics,' an individualized framework for gauging performance. This presents another layer of complexity — who curates these metrics, and how are they collated and presented to the individual in question? This aspect points to an individual’s career-oriented metrics that should ideally balance personal aspirations and organizational expectations.
While creating metrics is paramount, translating these numerical values into meaningful, digestible narratives is equally significant. The ability to narrate a compelling story around raw data enhances its resonance with different stakeholders, promoting an improved security posture and encouraging proactive participation from all concerned entities toward an outcome that enables and protects the business.
The relevance of sourcing the correct data for calculating these metrics must be considered. Without the right data, deriving meaningful, actionable metrics becomes a near-impossible task. I find myself mulling over an instance shared by Pollard, where a financial organization negotiated with HR departments to access a unique dataset for measuring insider risk. This example underscores the importance of the right data sources, even if their procurement entails roadblocks, complexities, and other challenges.
Imagine a scenario equipped with meaningful metrics. The security teams can influence business workflows rather than merely responding to vulnerabilities. We can proactively utilize metrics to understand recurring vulnerabilities and address them preemptively. In that case, we're saving our teams' time and potentially enhancing the entire business process and workflows with an updated, more secure system.
But, as we traverse this path, a dilemma emerges. Who defines what these metrics should be? As security leaders, are we too close to our data to see the bigger picture? Would an external perspective, perhaps one provided through the lens of a data engineer, help decipher what we want to achieve from these metrics? These questions signify a need for a more holistic approach to cybersecurity metrics. One that emphasizes creating a comprehensive, stakeholder-centric model that enhances transparency and efficiency.
It's clear to me, often as I describe to the students, I have the pleasure of teaching a security analytics course. As we strive to redefine our digital ecosystems with security at the core of everything we do, we must remember that metrics are not just numbers on a spreadsheet. They are stories, images, and signposts guiding us through the labyrinth of decision-making, instrumental in comprehending current predicaments and forecasting future risks. As stakeholders in this realm, our role is to understand and use these metrics effectively and evolve them, ensuring a secure and growth-oriented digital ecosystem.
Want to hear more about this topic? Listen to (or watch the video) podcast below.
This blog post represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.
Sincerely, Sean Martin and TAPE3