10 Security Metrics Categories CISOs Should Present to the Board>
Dark Reading – Ericka Chickowski
**Cyber Reporting and Metrics: A Boardroom Priority**
With increased regulatory requirements and heightened cybersecurity risks, cyber reporting and metrics have become a top priority for companies.
Boards of directors expect CISOs and security executives to provide rigorous tracking and reporting of key performance indicators (KPIs) and key risk indicators (KRIs).
**Security Operational Metrics:**
Fundamental to both KPIs and KRIs are security operational metrics that track the scope of assets, cybersecurity activities, and measured security outcomes.
These metrics help boards evaluate the effectiveness of cybersecurity investments and the efficiency of cyber controls.
**Common Metrics for CISOs to Track and Share with the Board:**
1\) **Data:**
– % data centralized
– % data encrypted
– Backup frequency
– Speed of data recovery
– % employee/customer/user info on Dark Web
– Depth of data-lake segmentation
2\) **Financial Assets:**
– Value of actual money/crypto lost directly
– Value of money or productivity losses in form of ransomware
– Volume of financial data leaked
3\) **People:**
– % phishing email click-through
– % suspicious email reported
– Passwords hacked
– Privileged accounts to total accounts
– % employees moving data/files out of the enterprise
4\) **Suppliers:**
– Self-certification of cybersecurity posture of third parties
– External scoring against peers and industry
– Continuous monitoring of posture of third and fourth parties
– External audit compliance
– Penetration testing scores (from suppliers)
5\) **Infrastructure:**
– Number of servers/hardware approaching end of life
– Secure configurations of all assets
– Depth of network/infrastructure segmentation
– Level of automation of inventory and control of hardware assets
– Vulnerability scanning
– Depth of zero-trust architecture deployment
6\) **User-Controlled Devices:**
– Number of unidentified devices on the network
– Number of devices with unpatched software
– Rate of false positives
– Number of threats detected and prevented by the endpoint solution
7\) **New Technologies: IoT:**
– Number of non-upgradable or patchable IoT devices
– Number of IoT ports connecting to enterprise networks
– Depth of IoT segmentation from enterprise resources
8\) **Enterprise Applications:**
– Known open software vulnerabilities
– Software patches outstanding
– Number of zero-day software vulnerabilities
9\) **Testing Security Posture:**
– Penetration (red, blue) testing
– Independent external security ratings versus peers and the industry
– Internal/external auditor report on regulatory and cyber compliance
– Application and other testing scores and discoveries
10\) **Incident Detection and Response:**
– Volumes and % of actual incidents versus intrusion attempts
– Mean time to detect
– Mean time to contain
– Mean time to remediate/resolve
– Red team scores and discoveries
**Conclusion:**
CISOs should roll up these metrics into easy-to-digest assessments and dashboards to inform the board of directors about risk levels and security performance.
These metrics provide a data-backed model for evaluating the efficacy of an organization’s cybersecurity program and identifying gaps in protection.
By tracking and sharing these metrics, CISOs can demonstrate the effectiveness of their security investments and improve the overall security posture of the organization.
Link: https://www.darkreading.com/cybersecurity-analytics/10-security-metrics-categories-cisos-should-present-to-the-board