Security leaders have used a wide variety of metrics over time. However, still, some of them complain that those metrics did not prove to be useful in understanding how well the security system is performing and what are its shortcomings. No parameter can work for all of the CISOs to explain how the security systems are performing and showing improvements. Some metrics or combinations of specific parameters prove to be more useful than others. Now the need for using metrics has grown than ever, but some security advisors say that the security teams also used metrics in the past, and those metrics are still valued.
Parameters used by many security leaders are explained below:
Results of simulated phishing attack
A security leader uses simulated phishing attacks so that he would know how the awareness training is going. Through that, he tries to make improvements by setting targets.
Meantime to recover
Another security leader calculates the percentage of the people affected by an incident and how much time the security team took to eliminate the problem and whether that time was close to or exceeded the targeted time.
Meantime to detect
Another security leader prefers to use a metric called meantime to detect. The time between the actual successful attack and its detection by the security system is noted. If the time taken by the security system to detect was short, then it shows that the security system is working correctly. Detection time can be improved by making the security system to work in a way where it detects the problem or attack in a week as compared to a month. And then it can be further improved by making it work in a way where it detects the problem in seconds.
Penetration testing is a metric which is preferred by harmer, who is a CISO.it is a critical metric, and its value is understood by board members as well. This metric indicates in what way a company can resist such incidents and how the situation can be improved over time.
According to another security leader, developing a metric in order to report the efficiency of the weakness management process. It should not only report the small patches done after small attacks but rather show the ability of the security department to manage such problems. It should also tell us about the time taken by the security department to handle a significant issue that put a lot of valuable data at risk and what way proved to be effective in eliminating the big problem.