Metrics help to tell a story and tell that story to the right audience. When I present on this topic I use an image showing a child, a spouse, and grandparent. All three can ask the same question, “How was work?”, and all three will receive an answer with a different story. Each will receive details that are appropriate for their level of understanding and their background. The story that, we as CIOs and CISOs, need to tell is no different. We have different audience members that include: the Board, Executives, Auditors, and Engineers. As we tell each of these audiences the story of IT and information security we need to keep in mind their background and the ask.
The Board is strategic and we are asking for resources. The Board might be comfortable with that functional level aggregation or they may want a single score. When a single score is needed this is usually around a maturity level and it should be coupled with a risk rating. Combined, these can tell where you are and how tight the controls are.
Engineers need the details and we are going to ask them to fix something. With the Engineers we can show them detailed tactical metrics. NIST and CIS have a great listing of tactical metrics with parameters for different levels of risk. From there, you can tie the results to technology.
Auditors need to know we know about our environment and that we’re doing something about it. Auditors would need to need to see that we are headed in the right direction.
Executives need actionable information, usually, by subject area and we need to answer their ask, “what’s in it for me?” Executives need to see how the security program is affecting them. We need to aggregate by topics they care about. For example, the CMO might care about Integrity and Reputation, to address concerns of report accuracy and potential reputation damage.
Your metrics are not a burden to the job but should be a tool to help you tell a better story.
The NACD posted these questions to ask your security team:
1. Does the security team have a full, well-informed view of the organization’s security posture?
2. Is our organization resilient to attack?
3. Is the security team confident it can detect and respond quickly to security incidents?
4. How do you measure the effectiveness of our cybersecurity program and initiatives?
5. Do political or financial considerations impact your ability to protect the organization effectively?
Here is the CHICAGO Metrics™ response:
1. Yes, we know the overall CHICAGO Score™ and the average Risk and Effort ratings to drive decisions and prioritization.
2. We have advised the Board based on Risk and Effort and are at or working towards the risk posture tolerated.
3. We tactically measure multiple points to include incident response. These aggregate into the Character, Availability, Confidentiality, Integrity, and GOld scores. We actively manage to these.
4. We have 142 tactical metrics, for conversations with engineers, and aggregate them into 6 key business/risk indicators, for conversations with executives, complete with an overall CHICAGO Score™. It provides Risk and Effort indicators to provide prioritization direction. This ties into the CHICAGO Maturity Model which gives a definitive quantitative scoring model to determine your organization's maturity level.
5. We publish and manage to our Risk (Likelihood*Impact) and Effort (Time*People*Money) scores. This allows us to quantitatively provide the executive team the information they need to make an informed decision. These can also be tied to the 6 key CHICAGO Metrics™ and how they relate to each C-Suite executive. - Think: "Speak their language."