Effective IT Security Metrics and CISO Responsibilities & Goals

Effective IT Security Metrics and CISO Responsibilities

By Kerwyn Velasco, CISM

Here’s a startling statistic: In a recent survey of CISOs and security professionals conducted by Rsam, only 5 percent of respondents said their IT security metrics are “very effective.” That means the overwhelming majority of us who are responsible for the security posture in our organizations are falling short. And some in some major ways.

I don’t know about you, but I find this terrifying. 

It means that we’re leaving ourselves open to a whole host of security problems. Being “somewhat” or “not effective” with IT security metrics—which is where a whopping 86 percent of those surveyed find themselves on the spectrum—just won’t cut it when it comes to protecting our organizations and our information. In real terms, we’re talking about the results from your wife or husband’s medical exams, the social security numbers, or the continuity of the businesses we all rely on in our everyday lives.

Aligning your CISO Responsibilities with Security Metrics

The most common reason many security programs fall short with metrics is that we have so much data available for collection. It can be difficult to correlate that data in ways to make it actionable. Remember, data is just a snapshot of a result at a point in time. Metrics are what give it context and make it meaningful and actionable. 

Every organization, regardless of their vertical focus, should take a stepwise approach to dealing with data.


Creating IT Security Metrics
Identify your objectives.
Identify metrics that support evaluation of the objective.
Collect the data you need.
Analyze it.
Report on the results.
Take appropriate action.
Re-evaluate thresholds/tolerance levels regularly.

Why IT Security Metrics Fail

Sounds simple, but many security programs fail on the first or second steps, which makes everything that follows impossible. In that same survey, more than 25 percent of respondents said they have a hard time choosing the right metrics. Also, over 52 percent said collecting the data to support it was their biggest challenge.

When it comes to difficultly in collecting data, there are a few hurdles that come into play. For some organizations, it may be a lack of clearly defined ownership over the data and its collection. For others, it’s an inefficient collection process. However, in a vast majority of cases, the failure comes because there is no centralized way to gather the data. It comes from various sources throughout the organization and from third parties. It’s in different formats and it’s collected by different tools. Frankly, it’s a nightmare for any CISO and their team who are trying to synthesize it.

Data collection needs to be flexible and easy for the people collecting it and for the person ultimately responsible for reporting it in a business-oriented way to the executives. These people will need to use it to make critical decisions. Otherwise, it’s just a bunch of meaningless numbers.

A centralized repository also opens up a world of automated possibilities for key stakeholders. It gives you helpful reminders about, for instance, inputting the number of people who have accepted your information security policy. Or it can show how many open vulnerabilities have been hanging around for more than 90 days or even automating the re-evaluation of acceptable thresholds. The right compliance risk metrics platform to manage this should be able to handle manual collection and manual input. More importantly, it should enable automated collection from sources inside and outside your organization. And reporting should be push-button simple.  Platforms aside, if the data you are collecting doesn’t support decision making, why are you collecting it?

For more insights on the common challenges many CISOs are facing, watch our free on-demand webinar on Creating Your NIST Cybersecurity CISO Dashboard. It will give you some food for thought, and a potential way forward for more efficient cyber security metrics for the board.