When an organisation suffers a data breach or other cybersecurity incident, it is not judged by whether it had a low number of vulnerabilities or if it spent enough on security tools. The question is whether it did the right thing based on its budget, size and needs.
Gartner predicts that within three years, 80% of the magnitude of fines imposed by regulators after a cybersecurity breach will be attributable to failures to prove the duty of due care was met rather than the impact of the breach.
Because there is no industry standard set of security metrics, every organisation needs flexibility to meet its unique circumstances
In the past, cybersecurity priorities and investments were largely based on doing something to avoid an outcome. For example, you might implement a patch management tool to avoid incidents resulting from unpatched security vulnerabilities.
This is not the best course of action. Cybersecurity priorities and investments should be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective, CARE. Gartner introduced CARE as a framework to help organisations assess the credibility and defensibility of their cybersecurity programme.
For example, rather than simply confirming the presence of tools and processes to patch vulnerabilities, an organisation should measure outcomes directly related to the level of protection, such as the number of days it takes to update critical systems with critical patches.
Cybersecurity priorities should be based on achieving a set of outcomes that are consistent, adequate, reasonable, effective
But because there is no industry standard set of security metrics or KPIs, every organisation needs the flexibility to meet its unique circumstances.
Ultimately, these are value judgments. These four characteristics embody myriad opportunities to do what is best for the organisation. Use the framework to ensure your security programme delivers better outcomes, not just greater spend.
Consistency Metrics
These assess whether security controls are working consistently over time across an organisation. They should be continuously updated, measured, and reported weekly, monthly, or quarterly to demonstrate that they remain consistent.
For example:
- Third-party risk assessment: The security control could be coverage or the percentage of third parties with a completed risk assessment
- Security awareness: The control could be currency or the percentage of employees who have received phishing training in the last X months
Adequacy Metrics
These assess whether the controls meet business needs and stakeholder expectations.
For example:
- Achievement of patching: Percentage of assets regularly patched within a protection-level agreement PLA
- Achievement of malware update PLA: Percentage of endpoints with anti-malware definitions regularly applied within PLA
Reasonableness metrics
These prove that your security controls are appropriate, fair, and moderate, as determined by their business impact and the friction they cause.
For example:
- Delays and downtime: Average delay in hours when adding new access
- Complaints: Number of complaints triggered by a particular security control
Effectiveness metrics
These assess whether your security controls are producing the desired outcome.
For example:
- Vulnerability remediation: The control could be timeliness, such as average or maximum number of days required to remedy critical security vulnerabilities
- Prevalence of cloud security incidents: Number of cloud security issues per year related to cloud configuration issues
As a security and risk management leader, it is up to you to contextualise for the audience, drill into detail for specific business units and systems, and link CARE metrics to business outcomes.
Using a predefined practice framework helps to ensure your security programme delivers better outcomes, not just greater capital spending.