As we are constantly being told, good Security metrics should have a clear link with business objectives and goals. However it is always a challenge to translate the security metrics into something that will be of interest to the Executive and most importantly drive a decision or contribute to an outcome.
The Gartner report titled Five Required Characteristics of Security Metrics that was refreshed in 2015 has some good advice. However, I would like to hear from CISOs that feel they have good reporting and metrics in place in the real world that the Executive team understand and perhaps set up a call discuss if there is interest.
The Gartner document is pretty good advice. However each program may be different on what they track for metrics based on industry and the business. But a few constants to exist, such as phishing testing results, numbers on effectiveness of virus and malware protections on email. Email is one of our largest attack vectors and executives are exposed to this quite often due to CEO fraud attempts. Also might combine those with risk scores you have in vulnerability scanning, and also reporting of how many items you log in your incident tracking system and report these by the business units and type of attack. Well those are my thoughts and how I approach the reporting and metrics. Most of all keep it simple and educate executives as to what the impacts are and how the metrics show your controls are effective or not.
One of the things I am attempting to do is to take it up a level and remove the technical results from the Executive reporting (It is fine for the Tech audience, such as the direct reports of the CIO). I quite like the approach of the Info security metrics group whereby they roll up all the various metrics into 3 categories of EXPOSURE, AGILITY and CULTURE. I am also reading a book by Andrew Jaquith called Security Metrics: Replacing Fear, Uncertainty, and Doubt which has a very good approach.
Has anyone else got some examples of what they feel works for them?