I’ve reviewed hundreds of cybersecurity metrics programs over the last 15 years. I’ve stated repeatedly, and confidently, two things:
- No one can give you your list of metrics.
- You should not use operational metrics with executive decision makers.
I was wrong.
It turns out I can tell you exactly what your metrics should be… and ironically, they are operational metrics. They are not particularly complex or sophisticated, they are just measuring the right thing: Value.
Gartner’s construct for outcome-driven metrics (ODMs) is ideal to measure cybersecurity value. ODMs measure a direct line-of-sight to protection levels (value) expressed as an operational outcome.
For example, “number of days to patch critical systems” is an ODM for threat and vulnerability management. It is both an operational outcome in which we can directly invest, and it has a direct line of sight to the value proposition of patching which is to reduce the amount of time that vulnerabilities are available for exploitation.
Gartner has more than 100 outcome-driven metric examples across 20 control classes that all share the same characteristics for measuring value delivery. They represent operational outcomes with a direct line of sight to the protection levels (value) created by the controls they measure.
We are benchmarking 20 of these.
We are doing a lot of metrics reviews with our clients. We can identify metrics that are OK as-is, ones that can be improved with the right characteristics, and ones you should just throw away because they’re worthless. Many of the ones we would identify as good are hidden because nobody understands their value.
You’re wasting your time on metrics that don’t guide priorities or investments in security and put it in a business context for your board. That’s an acid test for the value of a metric.
A second acid test is: are these metrics influencing any decision making? Because if they’re not, again, you’re wasting your time.
Enough Already, Just Give Me the Metrics
Here are 5 examples of cybersecurity value deliver metrics you should give to your board. Gartner clients have access to 20 of these that are being benchmarked globally and a catalog of more than 100 across 20 cybersecurity control classes.
Time to Remediate Incidents: What is your average time (in hours) between incident ticket generation and ticket close for “critical & high priority” security incidents?
OS Patching Cadence (Standard): What is your average time (in days) to apply critical operating system patches within your standard patch process?
Risky 3rd Parties Engaged: What percentage of known third parties with poor security assessment results have been engaged by the organization?
Phishing Reporting Rates: What is your percentage of people who report suspicious emails for your standard organization-wide phishing campaigns?
Recovery Testing – Core Systems: What is your percentage of core systems supporting critical business/mission functions that have successfully completed full recovery testing in the last 12 months
Webinar and Benchmark Release
April 20, 2022, 11:00 AM ET: Webinar Make Cybersecurity a Priority Business Investment addresses this topic and more. This webinar is open to everyone and will be available for replay.
On June 10, 2022, 9:00 AM ET: At the Friday morning keynote of our Security and Risk Management Summit in National Harbor, MD I will be releasing the benchmark definitions for our first generation cybersecurity value delivery benchmark and early data gathered from a small number of organizations.
We will also release the survey to all conference participants to fill out their own data and get the earliest version of our official benchmark.
For my blog readers who are not Gartner clients, I will write a blog post with whatever version of the definitions and data we are releasing publicly. I expect a version of the survey to be generally available to gather data and give the respondents a foundation benchmark in return, but the details of that are still being worked out.
Follow me on Twitter