Leveraging Metrics to Address the “Business” of Information Security

Last Updated on January 13, 2024

In my work I find that many CISOs are in a Catch-22 position with the businesses they protect. Often CISOs are judged on the number of security breaches or other incidents that are reported on their watch.
Ironically, senior management can view “no incidents” as “no problem” and ‘reward’ an excellent CISO by diverting some of the security budget to other business priorities—even though risks and the challenges of mitigating them are growing by the day… how many CISO’s out there are being asked to do more with less?

A solution I often recommend to get C-level management more involved in information security is to establish and report security metrics that align with business goals. In other words, make the security conversation a business conversation.
Relevant metrics keep security “real” and top-of-mind even when the firm’s information assets and reputation seem safe. It can also help funding and resources remain intact so your security posture doesn’t erode.
What kinds of metrics are important to the C-suite? Think numbers like “gross margin,” “average revenue per customer,” “customer retention/churn,” “operational productivity” and Net Promoter Score (NPS). Your Sales & Marketing Directors will have no problem explaining what metrics the business cares about (and you may make some key allies just by asking).
How to align information security with that focus? A recommended approach is to find ways to measure the bottom-line financial and customer contributions of information security efforts. Some examples could be:

• Customer-facing system downtime caused by information security incidents
• Number of information security incidents reported in the media or to customers and stockholders
• Information security budget as a percentage of IT budget (compared to industry average)
• Information security maturity rating (compared to industry average)
• Number of high-risk findings from your last audit or assessment
• Growth in accessible market share due to security attestations acquired (ex. with a SOC 2 Type 2 you are now able to attract Fortune 500 US based firms who require that attestation for you to be a vendor)

Metrics like these help demonstrate how security investments support the corporate mission and priorities. For example, you could illustrate how investments like a patching program reduce downtime for critical applications and therefore minimizes revenue losses associated with lost sales, etc.
Another recommended approach in discussing information security metrics with management is to measure and report progress over time towards a business-aligned goal. This can help ensure ongoing funding for important security programs. Tracking improvements in patch policy compliance or mean time to patch, for example, could help here.
If you need to benchmark your current information security posture or demonstrate your security maturity to stakeholders, contact Pivot Point Security. We specialize in penetration testing and vulnerability assessment services as well as information security advice and consulting for small to mid-sized businesses.
For more information:

• An excellent RSA Conference presentation on “Security Metrics Your Board Actually Cares About!”
• SecurityIntelligence on the metrics CISOs should present to business leaders
• Experts weigh in on “the most important cybersecurity KPIs”
• Dark Reading on “7 Business Metrics Security Pros Need to Know”