Effectively explaining security metrics to leadership
Metrics, when used effectively, can identify strengths and weaknesses in an organization’s security, risk or business continuity programs and provide valuable information to management. However, many times the metrics that security professionals track are not easily understood by executives.
Often times there is a disconnect between what executives should be told and how that information is presented to them. To better understand this disconnect and provide security professionals with the right tools to explain metrics in a way that makes sense to leadership, here are 3 scenarios to consider:
Problem 1: Sacrificing detail for simplicity
There might be a tendency to report on simple “successful” or “unsuccessful” metrics associated with projects, instead of diving into the nitty gritty of what happened. Additionally, with the time constraints many busy execs have, presenting on complicated details of metrics in a short presentation can be quite challenging and an inefficient use of time.
Solution: Try to use industry comparisons and outside surveys when talking about complicated analytics. Comparisons to other incidents, competitors or events can help shed light and give context to busy executives that need to quickly understand and digest information. Providing “executive summary” reports is a good way to narrow in on the important information while still having access to all the data points and information if they should ask for it later.
Problem 2: Viewing metrics as an exact science
Metrics are not an exact science. They might tell you how many attacks your security controls stopped, but not how many attacks will be stopped or how many attacks they might have missed. Management executives want security departments to tell them precisely what is going on in language they can understand and that can be tricky.
Solution: The most effective way to present security metrics to management is to describe the nature of the problem, the results or data that you were able to collect and provide a caveat that there is room for interpretation. Give examples and show leadership how the data impacts the business and how you are able to learn from the information to improve processes, control security or mitigate additional attacks.
Problem 3: Nobody cares about security metrics
Do you feel like sometimes upper management asks for security metrics as sort of a “check the box” approach? Especially in cases where the organization hasn’t experienced its own security issues, you may find that leadership isn’t 100% vested in the need for understanding these metrics.
Solution: This is where comparisons and competitive analysis can be helpful. Take, for instance, a company that has experienced a breach—if you can compare your metrics to what you know about theirs, you will be able to show management how important it is to understand the metrics (and risks). Speak about metrics in ways the relate directly to the business—what do they mean for ongoing security? How does this put you ahead of others in the marketplace? If you didn’t have these parameters in place, what would be happening instead? Explain the information in a way that gives them insight into how these processes help the business now and protect it from future risk.
Need ideas on which metrics make sense to share with your team or other business units? Check out our previous post, “Security metrics that matter”.
