Metrics with a purpose…
Many executives receive a great deal of data from CSO’s but the majority of instance, they are based on compliance rules put forth in the organization. While it is important to know the completeness of these controls, those metrics can be difficult for the executive team to quantify or fully understand how they relate to their security posture. Adherence to these rules and technical controls are very important and should be maintained, but if an event or disaster occurs, compliance data elements do not help with recovery or posture.
We still suggest tracking common and important metrics, such as vulnerability scans, patch status, compliance metrics, etc… but CSO’s should emphasize certain data elements which provide the executive team a deeper understanding of their security posture. Implementing and maintaining a valid baseline maturity model is the first step in provide real information to your executives. If you just show data from a graph that states how many attack attempts were blocked, then your executive team will assume that everything is still fine – until the first weakness is exploited. These metrics need to show relevance and most executives will not know what to do with the report without any context. Taking the metrics, you are gathering and then creating a maturity model based on that data provides insight to the security program and if progress is being made.
There are multiple security maturity models to choose from and implement so there is no need to reinvent the wheel. Choose the one that fits your type of organization and tweak that one as needed. At the simplest design – you want to move from a Reactive style maturity level and implement the appropriate Compliance driven controls, such as mandatory regulatory overlays, and then finally move into a Risk Based maturity level where your organization is proactively correctly security deficiencies.
These models and the components within them will vary from boardroom to boardroom. Some executives care deeply and understand the struggles that may be occurring within the security department while others have very little interest. CSOs must build relationships and have thoughtful conversations so they can develop the appropriate maturity model. Making sure that these reports capture the correct data elements that each business unit cares about is vital so the executives can provide informed business decisions.