What does good even look like?

by Joseph Socolof
Contributing Editor

Building a cyber program starts with knowing what good looks like. It is not some vague description, but rather the hard targets to which we will manage day-to-day and aspire in the longer term. Yes, it is hard to measure risk. No, that does not mean you shouldn’t try.

Defining cyber security metrics and targets is no different than defining operational metrics and targets. Everybody knows the ‘what’:

• Define what matters – often this is defined as ‘knowing your critical assets’. In our view, this is inadequate. What matters is ‘net value at risk’ – a measure which quantifies how secure an organization is and what it is costing to secure it. The word ‘net’ is critically important. Any set of metrics has to include the dollars spent on minimizing risk. Too often we see programs which do not explicitly highlight dollars being spent. In almost all cases, this means dollars are being spent poorly.

• Identify the key drivers – net value at risk is calculated by understanding the decisions that are made and the behaviors that are exhibited by an organization and the impact those decisions and behaviors have on minimizing threats, vulnerabilities and impact (TVI). Net value at risk is a good way to keep score, but not a particularly good way to manage. An organization needs to understand the decisions and behaviors which matter and then build transparency to their performance.

• Develop baselines – this is straight-forward. For the things that matter, figure out how we are doing and how we are performing. Ideally, organizations would have the information readily at hand. In reality, most don’t.

• Set targets – this is where the real value is created if done correctly (and managed). Targets need to be the very specific expectations of performance at some future point in time. There are often very clear reasons organizations perform the way they do (baselines). Target setting provides the impetus and structure to cause the business to close gaps, eliminate road blocks, and creatively think about how to do things differently.

Again, organizations know the ‘what’ – the challenge is the ‘how’ – how do we get from where we are today to having a robust set of metrics and targets to which we manage?

It is actually quite difficult to get this right. In our experience, establishing the right metrics is both a top-down and bottom-up exercise. At the top of the organization, leaders need to be engaged – often through a series of workshops. If leaders do not understand what cyber security is and why it matters, they will be unwilling or unable to lead their organizations. Changing an organization’s culture around cyber is not as simple as running a few workshops or training sessions, though this is what we often see organizations do. Without ‘making it real’, any education will be lost. Making it real is accomplished by building the link between theory and practice.

At the front-line, cyber needs to be made real. We often start in a very targeted area of the organization, select a metric that matters – it can be something as simple as clicking on phishing emails to plugging devices into the network with permission – get the reporting out, and then actively review performance.

Linking the leadership team with the newly highlighted metrics is where the magic happens. Building the cascaded reviews where performance can be reviewed and course corrections can be made is critical if an organization is going to really build a strong culture of cyber security. It does not have to take long to build a strong cyber culture, but it does require getting started with an understanding of ‘what good looks like’.