What does the c-suite care about? The extended list is long and diverse, tied to the nuances of their industry and the complexity of their business models. Data employed to understand and manage this list is extensive. And yet nearly all data points on customers, employees, marketing, innovation, productivity, cost of goods sold to name a few, can be distilled into two fundamental metrics for all strategic decisions: revenue and profitability.
Revenue generating functions – the profit centers – forge a direct path between their actions and their stated objectives to create revenue. It’s a familiar approach with established playbooks and often bound by a target set by leadership to achieve. Supporting functions – the cost centers – are critical to an organization’s success but often have a more indirect route to defend and justify investment asks. The challenges for both however are quite similar, as each are entrusted to enable value and rationalize decisions under the same rubric of impact to revenue and profitability. Each must also identify the risks to meeting their goals and stated objectives and establish a plan to manage/mitigate them.
For cyber and security, this juxtaposition between value and risk is no different. In a digital first economy, cyber investments continue to increase at a feverish pace expanding revenue opportunities and creating new profit centers. Protecting these investments make cyber risk a key concern for executives, and despite tremendous progress by security teams, challenges remain. The work of security is complex, it’s technical, and dynamic. It’s an ecosystem of people, process, and technologies facing an unrelenting adversary. Trade-offs between value and risk are constant. The risk is acknowledged, but unfortunately not understood and not measured as other enterprise risks are, stunting the organization’s ability to treat cyber risk in the same way.
Legacy metrics that security teams have relied upon to rationalize their activities, defend budgets, and to show value often prove ineffective. Counts of vulnerabilities remediated or incidents averted prove operational value, but lack in connection to revenue and profitability. Security metrics must evolve and align with their profit center counterparts by adopting an enterprise risk management approach, organized around two key principles that can and must be measured and evaluated against its impact to the business:
Security Metrics: Key Risk Indicators (KRI)
- What – Begin with answering what is at risk? By adopting the c-suite’s view, it’s helpful to start with a top-down approach that recognizes forecasted revenue (and by extension profitability) as the most important risk factor. The subsequent response is naturally layered accounting for different organizational elements relying on an uninterrupted cyber environment to achieve their objectives.
- Where – Initiate a mapping exercise to determine where cyber risk potentially exists within your unique environment. Move beyond relying solely on output from the security stack and extend to gain insights from infrastructure/business applications, compliance and of course threat intelligence.
- How – The complexity and diversity of risk indicators in most organizations demand a scalable solution to measure their relevance and potential impact. Taken one step further not all risks are the same and must account for how a threat actor/adversary could actually exploit them. Not all vulnerabilities are the same either, and adopting a threat-informed approach ensures the right context against impact to prioritize where the security team should focus.
Security Metrics: Key Performance Indicators (KPI)
- What – A mature risk management effort has in place the capability to continuously evaluate and drive data-driven changes to improve performance.
- How – Cyber enterprise risk management is no different. By quantifying risk exposure relative to the financial impact it may have on the affected organization, security teams can prioritize their efforts to remediate risk by concentrating their already limited resources against those actions that achieve the greatest impact.
- Why – Enterprise risk management requires a diverse set of voices to ensure the right trade-off decisions are made. Cyber risk KPIs rooted in business impact enables technical and non-technical leaders to engage, leveraging the collective wisdom of the cross-functional team to effectively balance value and risk.
- KPIs may also fluctuate based on organizational priorities and risk tolerance. This may also broaden the definition of performance to extend beyond how the security team is improving to show direct impact on enabling other organizational activity. While security teams strive to minimize friction that could impede business operations, they must also demonstrate with evidence how they are an enabler to these same activities.
For more information on how Pellonium can support your cyber enterprise risk management efforts, please contact us at info@pellonium.com.