Metrics to Avoid When Discussing Cybersecurity Program Management with Executives

Chief Information Security Officers (CISOs) have one of the toughest jobs in the C-Suite. They are not only responsible for protecting their organization (which alone is no easy task), but are also tasked to explain the current state of security to the rest of the executive team (without using any industry jargon).

CISOs must communicate with senior leadership so swift action can be taken, however there are myriad metrics to track, measure and understand. Turning complicated cybersecurity metrics into actionable insights for corporate leadership is a tremendous challenge for today’s CISO, especially as some stats are far more impactful than others.

Which Cybersecurity Metrics to Avoid When Discussing Cybersecurity Strategy with Executives

We sat down with Ed Leppert, founder of Cybersecurity GRC and longtime cybersecurity expert to learn more about the intersection of cybersecurity and compliance and how CISOs can build a successful program.

Vulnerability Scans Results by Common Vulnerability Scoring System (CVSS) Value

Leppert says that vulnerability scans based on CVSS value is one of his favorite metrics he has issues with, as “I can’t tell you how many times I’ve gotten inquiries from clients on my plan of action for addressing a high-risk vulnerability that has been discovered in the wild (based on CVSS rating) and why I haven’t placed a high priority on remediating it.” 

According to Leppert, what the CVSS score doesn’t account for is the limitations of each vulnerability, especially because it may require extreme sophistication to exploit it because of other defenses in the environment, or the skill required to exploit it. The CVSS value does help identify the potential danger of a vulnerability, but needs to be taken in context with the difficultly of exploitability within each environment.

Percentage of Security Program Controls Covered in Policies

The percentage of security program controls covered in policies is yet another one with a double-edged sword. It is important to make sure company policies are comprehensive and cover the controls within the security program. However, great policies won’t reduce risk unless they are understood and adhered to, so users also need to have a corresponding metric along with the percentage to measure the understanding of the policy by employees and/or policy adherence via assessments.

Average Vulnerability Patch Time

The average vulnerability time relates back to the metric on vulnerability scans. Vulnerabilities that are not easily exploitable or don’t represent significant risk can be de-prioritized and the time for remediating them can skew the overall average time for remediation. A better metric would be average time for remediating high-risk, business critical vulnerabilities.

Why A Comprehensive Cybersecurity Program Management Strategy Is Key for Success

Overall, according to Leppert, most metrics that security teams provide are quantitative in nature and focus more on activities undertaken by the security teams, including the number of servers scanned, number of vulnerabilities found, and new bugs discovered, but often they don’t consider the context regarding the risks the results represent.

Instead of looking at these types of tactical metrics, CISOs should be focused on the bigger picture – how to protect their organization from any and all risks as they become a strategic leader that drives senior management decisions.

Watch the ISACA webinar on Becoming a Next-Gen CISO with Cybersecurity Program Automation to get the latest insights on how CISOs can build successful cybersecurity program management strategies.