By Paul Proctor, VP Analyst at Gartner
Properly designed security metrics, and key performance indicators (KPIs) are crucial to building and maintaining strong cybersecurity operations. These metrics can help communicate cybersecurity investments as business decisions to executive leaders.
Traditional cybersecurity delivery metrics such as number of incidents closed, or number of attacks faced have lost their relevance as they do not reflect the true impact of cybersecurity investments. Cybersecurity outcome-driven metrics (ODMs), on the other hand, link security and risk operational metrics to the business outcomes they support. They provide a more accurate picture of the success of cybersecurity capabilities in achieving desired outcomes.
CIOs must shift their focus to measuring, reporting and investing in security outcomes. This means driving investments based on protection levels measured by ODMs. As a result, CIOs can make better decisions by effectively allocating resources based on the actual outcomes achieved.
Aligning Business Outcomes with ODMs
ODMs are indicators of protection levels. When an ODM improves, the organization is measurably more protected. There are two powerful benefits to measuring ODM for systems aligned with business outcomes:
- It allows business leaders to observe how different parts of the organization are experiencing different protection levels and allows them to choose and invest in different protection levels accordingly. Not every part of your business or mission needs the same level of protection.
- With the help of ODMs, a CIO can now explain to executives how cybersecurity spending can impact the business. This is great for a business case to increase budget and also addresses the more complicated situation of being asked to cut cybersecurity spend.
How to Measure ODMs
Gartner benchmarks 16 ODMs including time to patch, third-party risk engagement, endpoint protection, and ransomware recovery. These benchmarks create peer comparisons for board oversight and executive engagement for cybersecurity investment.
ODMs should be measured in the context of assets, alerts, vulnerabilities, and incidents that are in the highest risk categories for an organization.
Critical and high-risk assets: Assets for which a breach of confidentiality, integrity or availability would have a severe effect on organizational operations, organizational assets or individuals.
Critical and high-risk third parties: Third parties for which a breach of confidentiality, integrity or availability would have a severe or catastrophic adverse effect on organizational operations, organizational assets, regulatory action, organizational reputation, or other material business outcomes or impacts.
Critical and high-risk alerts: Alerts that are related to an asset with a critical or high-risk classification and result from high-fidelity alerting and correlation (endpoint detection, IDS and highly tuned SIEM use cases).
Critical and high-risk vulnerabilities: To determine the vulnerability risk level, apply the Common Vulnerability Scoring System (CVSS) to the findings in your environment. Most commercial vulnerability scanners will calculate CVSS automatically as they report findings, but it is important to apply environmental context to the findings, such as network position and impact rating, to ensure scores are properly applied.
Critical and high-risk incidents: Incidents or conditions that must be addressed to avoid severe or catastrophic adverse effects on organizational operations, organizational assets or individuals.
Critical and high-risk policy exceptions: Formally tracked policy exceptions with expiration times or dates that must be addressed to avoid severe adverse effects on organizational operations, organizational assets or individuals.
Systems: Systems are all IT assets and applications that support business and mission outcomes.
Business or mission outcomes: Business and mission outcomes are measurable goals that support a business. Business outcomes can be defined at different levels, such as all manufacturing production for a business, the production for a single plant, or the production across a product line that may be split across several manufacturing plants. Outcomes are defined by each organization.
Alignment of systems to business or mission outcomes: A system is aligned to a business outcome when it has a direct line of sight to the support of that outcome — for example, the systems that support a manufacturing plant are aligned to the business outcome of producing 5,000 widgets a day. If the systems aligned to a business outcome fail, then it harms the business outcome. Organizations determine which systems are aligned by their defined outcomes.
In general, ODMS act as value levers for cybersecurity investment. By using ODMs, CIOs can more effectively drive priorities and investments that balance the need to protect, with the need to run, the business.
Additional analysis on Cybersecurity ODMs will be presented during Gartner IT Symposium/Xpo 2023, Kochi, November 28-30.