The CISO Conundrums, Part 4: Metrics

March 20, 2020

In the final part of our 4-part “The CISO Conundrums” series, we explore success metrics challenges that CISOs face.

Measuring success

Peter Drucker said, “if you can’t measure it, you can’t improve it.” And you also wouldn’t know how well you did. In the CISOs’ case, it’s often difficult to find appropriate metrics and measure business alignment.

According to thycotic’s report that touches on how CISOs set key metrics and manage business alignment – 52 % of survey respondents are struggling to align security initiatives to business goals, and 28% don’t have a clear understanding on the success metrics used by rest of the business departments.

CISOs would be deemed effective and successful in their cybersecurity initiatives, if they can clearly demonstrate how these initiatives translate or contributed to business success. Part of doing this well includes being great listeners and understanding what it takes for the broader part of the business to succeed.

Justifying costs

When it comes to justifying costs to purchase or improve an existing security solution before any incident happens, CISOs face an uphill battle. It’s usually when a real attack or incident happens that all eyes turn to a CISO – in a twist of situation he or she becomes empowered to spend what is needed to mitigate the breach. 

Lenny Zeltser, CISO at Axonius suggests risk, cost and context to be areas a CISO should cover when trying to build up a proactive  business case for justifying spending that can enhance the organisation’s security posture.

It’s challenging to get mindshare at the board level when reporting on a technical area like cybersecurity. What comes across as everyday language to CISOs – like “TLS”, “DNS”, “malware” and “ransomware” – may be absolutely incomprehensible by CEOs and other C-level executives. And when people don’t understand, you lose their mindshare and your chance to influence decisions.

Business people talk risk, numbers, and charts. In view of this, CISOs need to be able to translate their security efforts into  digestible information their colleagues and bosses can relate to. A Gartner report reveals 100% of CISOs at large enterprises are responsible for board-level reporting of cybersecurity and technology risk at least once a year.

CISOs need a grip on clearly communicating their cybersecurity efforts with business sense. Shall any security incident happen, CISOs need to be able to answer the question: “How badly would that affect our business?”

Related articles:

The CISO Conundrums, Part 1: People and Culture

The CISO Conundrums, Part 2: Digitalisation – Cloud Migration & Data Security

The CISO Conundrums. Part 3: Third-party Ecosystem & Risks


For more content like this, follow us on web and our social channels.