For years, I’ve been on a quest to find the one effective security metric that chief information security officers (CISOs) can share with senior management and the board. Unfortunately, this singularly compelling metric has remained as elusive as the grail. And sadly, I’ve long given up on my Indiana Jones fantasies.
So, a little while ago, I decided to take a different approach to thinking about security metrics. I flipped the narrative, putting myself in the shoes of a CEO as they stepped up to the microphone to explain a security breach to an excitable crowd of reporters. My view is that this experience would most likely rate on a top five list of “things to avoid” for any CEO.
As security professionals, we can’t absolutely, 100% prevent attacks. But I thought if I could understand the questions a CEO might face, then I could build a series of metrics—and perhaps even a strategy—to ensure executives had robust, defensible answers during a crisis. And hopefully, these things would help protect the firm’s reputation and customer base, too.
Let’s work through some possible media questions and look at what information CISOs can provide to senior leadership to help ensure they can deliver solid answers:
1. How did this happen?
The media will want to know how the breach happened. And in their response, many CEOs will roll out the phrase “a very advanced and sophisticated attack” — even when it’s anything but. However, that’s the key here. You need to be able to show your organization has taken care of the “usual” in terms of security, making it more likely that only an advanced and sophisticated attack could circumvent your robust security strategy.
So, to help CEO’s supply that answer, you’ll want to arm them with independently validated evidence of your organization’s adherence to best practices, such as:
- Certification to standards such as ISO27001, Cyber Essentials Plus, etc.
- Recent bills of health from audits, regulatory reviews and red team tests
2. Why did this happen to you?
In search of the story, the media want an angle or reason why your firm has been affected. Your CEO doesn’t want to say it was because you were the weakest firm in your peer group. So, equip your CEO with sufficient details of the attack path, including:
- Assurance relating to common cyber-hygiene factors such as up-to-date vulnerability management activities, involving patching, asset identification, anti-malware, security awareness training and email hygiene
- Independent verification that the organization is in compliance with all relevant security policies and risk tolerances (see question 1)
3. How long have you known about this?
Moving rapidly in these scenarios is perceived as best practice. Attacks that are undetected for long periods or slow responses to detected events can undermine confidence in the organization’s security controls and threat detection. To answer the above question from the media effectively, your CEO will need information about the discovery. Ideally, you should have:
-
A Security Operations Center (SOC) service running 24/7
- Stats showing your “mean time to detection” and compare them to figures from peers and the industry so your CEO can discuss them with confidence
4. What data have you lost?
In the early days of any incident response, this can be a challenging question to answer. But rest assured, the question will come up. You can help your CEO address this question effectively by making sure they have:
-
Confirmation that the confidential data you hold is encrypted—this statement alone can defuse this question
- Assurance about access controls, including least privilege, segregation of duties and timely updates of leavers and movers; this enables assurances regarding “limited data access” if the attack was via an account compromise
5. How will this impact your customers? The business?
This is another question with no defined answer. However, it’s also an opportunity to demonstrate that your organization was prepared for such an event and that a pre-existing plan is being put into place. In short, you’re not making this up as you go along. Provide your CEO with:
- Knowledge of a documented incident response plan that is well-rehearsed and supported by external experts
- Knowledge of well-documented and regularly tested business continuity plans that apply in these circumstances
- Confirmation that the correct authorities have been advised of the event, in line with legal and regulatory requirements
6. Who was responsible for the attack?
This is yet another question where the media are likely to push for an answer that may, at best, be unclear. To help your CEO respond, give them:
-
Assurance that your firm has a reliable threat intelligence program, which tracks threat actors who discuss or target your staff and brand
- Confirmation that the correct authorities have been engaged, in line with legal and regulatory requirements
So, where does this exercise leave us? With a collection of measurement points and metrics that would be ideal to have to hand should the worst-case scenario occur. If we break them down into components and consider how to measure each one pragmatically, we end up with table like this:
Metric |
Yes/No |
RAG Status |
Policy Compliance |
% Score |
Certification status |
X |
|
|
|
Audit and test schedule |
|
X |
|
|
Asset identification and management |
|
|
|
X |
Vulnerability management |
|
|
X |
X |
Education and awareness |
|
|
X |
X |
Anti-malware |
|
|
X |
X |
Email hygiene |
|
|
|
X |
24/7 SOC coverage |
X |
|
|
X |
Mean time to detection of incidents, together with industry comparison |
|
X |
|
|
% of sensitive data encrypted |
|
|
|
X |
Access control management |
|
X |
X |
|
Incident response plan |
|
X |
|
|
Business continuity plan |
|
X |
|
|
Connection with authorities |
X |
|
|
|
Threat intelligence program |
|
X |
|
|
This is a great place to start building your executive-level metric set. If it becomes your monthly baseline, you’ll know you can provide insightful and useful security metrics to the CEO at a moment’s notice. That will be a great reassurance to all parties.
There are areas that would benefit from further focus—culture and behavior being a personal priority. However, this is where the individuality of each firm comes into play. So, assess your own industry and organization for particularly important and/or relevant metrics.
Finally, rework the “media interview” process in collaboration with your communications team and CEO to see what different questions they may expect. Then, use that information to inform and refine your core metric set.
The model above isn’t flawless. But in my long quest to find perfection, I haven’t seen it. However, I have seen many CISOs worried by their own metric set, unsure if they’re doing enough or measuring what matters. This model aims to provide a solid foundation for security professionals to build upon with confidence and certainty.