Ian Burgess, Principal, Technology and Digital Policy Delivery,
Global spend on cyber security is rising year on year and is due to reach $96bn1 this year, as cyber-attacks continue to increase in complexity and frequency. However, spending ever increasing amounts of money is not in itself guaranteed to protect companies from a cyber-attack. The budget for cyber security should, amongst other things, consider how effective a company’s tools are in defending against cyber-attacks. One way in which companies can track the effectiveness of those tools is by using cyber metrics.
It is often said that “you can’t manage what you can’t measure”, and there is some truth to that regarding cyber metrics; it is much easier to manage your cyber security strategy by measuring and analysing the data provided by your security tools. This blog won’t suggest how companies should develop metrics or what metrics they should use; instead it will look at the following ways in which the value of cyber metrics can be enhanced:
- Understanding the audience
- Alignment with business goals
- Focusing on a business solution
- Providing real-world examples
The first requirement to try and achieve maximum value from cyber metrics is to understand the audience that will receive and act on them. It is recommended that cyber metrics are presented at the highest level possible i.e. to the Board. The audience is unlikely to be a technical expert, and therefore presentation materials and in-person briefings should use ‘business’ language, rather than technical language, which is often easier for a wider audience to understand and subsequently act upon.
A caveat though: the presenter of the cyber metrics should be forearmed with enough technical information to withstand an inquisitive Board member performing a deep dive into a subject area. This is more likely to occur in the early stages of redeveloping any metrics when a Board wants to be confident enough that there is quantifiable evidence to underpin what is being presented to them.
When presented cyber metrics, like the overall cyber security strategy, should be aligned to business goals. Cyber security is rarely viewed at Board level as a purely technical matter, but instead as one of many elements within a company that needs to be acted upon to meet overall business objectives. Failure to align with these goals is likely to result in an incoherent strategic direction and lack of buy in from other key stakeholders, for example Risk and IT.
Once aligned with business goals, cyber metrics should be presented in a way that focuses on a business solution – preferably one which can show how it has increased profit or reduced loss. For example, the Board are unlikely to want to know the details behind the patching status of servers. They are more likely to want to know that successfully applied patches have increased system availability, for example, therefore allowing front office departments to process more trades, and resulting in increased revenue and profit. Providing that link from the technical (patching status) to the business (increased revenue) highlights how cyber security is not an opaque function, but one that can provide tangible benefits to a company. If a positive return on investment can be demonstrated for cyber security tools then they are more likely to draw support, and therefore investment, from the Board.
Cyber-attacks are often major news stories that can cause reputational as well as operational losses. Relating cyber metrics to real world examples will provide context that a Board will be able to better understand. Furthermore, benchmarking against competitors can provide a relatable way for a Board to judge their performance against peers and determine whether investment in cyber security is adequate or whether it should be increased.
The above highlight some of the ways to enhance the value of cyber metrics in any company and identify some of the key considerations when they are being created. Above all, cyber metrics need to be something that is easily understood by their audience; if they are, then proposed actions and investment are more likely to be approved.
Related Event: Economic Crime Congress – 12 December
This December, UK Finance will host its first Economic Crime Congress, a multi-stream, one-day event bringing together top international and UK experts and practitioners. From Brexit to major regulatory reforms, the conference will deliver timely updates on incoming developments in legislation, regulation and services, and discuss the key economic crime topics of 2018. Visit the website for more information and to sign up.
Related Event: Digital Innovation Summit – 18 September
The Digital Innovation Summit is dedicated to the latest developments in technology, digital innovation, data security, open banking, GDPR, artificial intelligence and cyber fraud. Spanning four dedicated content theatres, RegTech, PaymentsTech, MortgageTech and DataAnalytics, the conference will feature 75 industry experts and renowned speakers from all over the world. Visit the website for more information and to sign up. Visit the website for more information and to sign up.