The CISO Conundrums, Part 4: Metrics

Date: 20 Mar 2020

In the final part of our 4-part “The CISO Conundrums” series, we explore success metrics challenges that CISOs face.

Measuring success

Peter Drucker said, “if you can’t measure it, you can’t improve it.” And you also wouldn’t be able to tell how well you did either. In the CISOs’ case, it’s often difficult to find appropriate metrics and measure business alignment.

According to thycotic’s report that touches on how CISOs set key metrics and manage business alignment – 52% of survey respondents are struggling to align security initiatives to business goals, and 28% don’t have a clear understanding on the success metrics used by rest of the business departments.

CISOs would be seen as effective and could be successful in their cybersecurity initiatives if they can clearly demonstrate how these initiatives contribute to business success. Part of doing this well includes being great listeners and understanding what it takes for the broader part of the business to succeed.

Justifying costs

When it comes to justifying costs to purchase or improve an existing security solution before any incident happens, CISOs face an uphill battle. It’s usually when a real attack or incident happens that all eyes turn to a CISO – then in a blink of an eye, he or she becomes empowered to spend what is needed to mitigate the breach. 

Lenny Zeltser, CISO at Axonius suggests risk, cost and context to be areas a CISO should cover when trying to build up a proactive business case for justifying spending that can enhance the organisation’s security posture.

It’s challenging to get mindshare at the board level when reporting on a technical area like cybersecurity. What comes across as everyday language to CISOs – like “TLS”, “DNS”, “malware” and “ransomware” – may be foreign to CEOs and other C-level executives. And when people don’t understand what you are trying to do, you lose your chance to influence decisions.

Business people talk risk, numbers, and charts. In view of this, CISOs need to be able to translate their security efforts into digestible information that their colleagues and bosses can relate to. A Gartner report reveals 100% of CISOs at large enterprises are responsible for board-level reporting of cybersecurity and technology risk at least once a year.

Therefore CISOs need to get a better handle on how to clearly communicate their cybersecurity efforts in the context of potential business impact. Because should any security incident happen, CISOs need to be able to answer the question: “How badly will that impact our business, and how badly will it impact you?”

Related articles:

The CISO Conundrums, Part 1: People and Culture

The CISO Conundrums, Part 2: Digitalisation – Cloud Migration & Data Security

The CISO Conundrums. Part 3: Third-party Ecosystem & Risks


For more content like this, follow us on web and our social channels.

Share on: