Blog post

16 Metrics to Transform Cybersecurity Measurement, Reporting, and Investment

By Paul Proctor | May 22, 2023 | 0 Comments

CIO Leadership of Strategy, Governance and Operating ModelsIT Cost Optimization, Finance, Risk and ValueSecurity and Risk Management Leaders

Gartner is benchmarking these cyber business value metrics that change the way organizations measure, report and invest in cybersecurity. These 16 metrics will transform how you discuss cybersecurity with your board of directors.

Organizations can use the information supplied here to build better metrics to guide investment and report to their board on cybersecurity.

Gartner clients have access to more detail to produce benchmarkable data like scoping guidance, definitions, and calculations.

This is an example of a full Gartner definition. Notice that this is not rocket science. The fields like target question, in-scope elements, clock (for time-based metrics), definitions, and calculations are critical elements. It is recommended that you create a full definition like this for every metric you have.

Bluntly, if you don’t have a calculation, you have nothing. The dreams of many aspiring metrics crash upon the rocks of reality when you don’t have a calculation. While I’m not supplying the Gartner calculation… you’ll be OK. There are many appropriate ways to do a calculation and I gave you an example above.

Outcome-driven Metrics

Our recommended metrics are based on the Gartner construct of an outcome-driven metric (ODM). ODMs measure the outcomes of security investments.

For example, incident remediation is an ODM that measures the outcomes of your investment in response capabilities.

ODMs are explainable to executives with no technical background, they measure protection levels, and they act as value levers.

Collectively these properties change how we measure, report, and invest in security.

ODMs are Easily Explainable to Executives

Incident remediation measures the amount of time it takes our organization to stop hacking incidents and return the organization to normal business operations.

This is the amount of time that an incident can spread, do damage, and lock up systems.

ODMs Measure Protection Levels

When an ODM improves, the investment is producing measurably better protection.

When the metric degrades, the investment is producing measurably lower protection.

Remediating incidents in 16 hours is better protection than remediating in 30 hours. Because your incidents are around for 14 more hours to do damage.

ODMs Act as Value Levers to Support Direct Investment

ODMs support direct investment to change a protection level.

If you are currently remediating incidents in 30 hours, you can make a direct investment in getting down to 16 hours and you will be measurably better protected.

ODMs Enable Cyber Governance Based on Value and Cost

ODMs support choices that balance protection levels against cost.

For example, you can spend more money, remediate incidents faster, and you will be measurably better protected.

Or, you can save some money, remediate incidents slower, and you will be measurably less protected. But you will save some money.

Why Did We Pick These 16?

This list was built in collaboration with Gartner Research Board, which is comprised of some of the world’s largest, well-funded organizations. However, these metrics are scalable to very small organizations. None of the metrics are complex.

These 16 were selected as our first generation because they have 2 very special qualities:

  • First, each of these can be explained to a business executive with no technical background.
  • Second, they represent high value, common security control investments. Everyone needs these.

This collection of metrics is not MECE (mutually exclusive, collectively exhaustive). You will need other metrics, but these should also follow the construct of outcome-driven metrics.

Gartner has a catalog of 130 ODMs across 20 different control investments. You can build an ODM out of any cyber investment.

Implementing These 16 Metrics

To gain full value, an organization should instrument their systems and processes to gather these metrics continuously. “Continuous” is different depending on the metric. Some change daily, some change once a year.

Step 1: Prioritize the metrics that are easiest to gather data and highest value.

Step 2: Use the sample above to define scope, calculation, and required investment to gather the data.

Step 3: Make investments to gather continuously.

Step 4: Measure what you are delivering today.

Step 5: Use the data in board presentations and to drive investments to achieve desired protection levels.

Benchmarking and a Cybersecurity Standard of Due Care

If you join our ecosystem and measure these 16 as we specifically define them, you will be able to compare yourself to your peers.

When you are in-line with your peers, you can create stakeholder defensibility with your customers, shareholders, and regulators.

Stakeholder defensibility and benchmarked ODMs hold the promise of creating a standard of due care for security protection.

We aren’t there yet, but the first step for you is to start measuring ODMs and create a new conversation with your board.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment