Mismatched metrics reflect lack of cybersecurity and business alignment
As the saying goes, if you want to manage something, you need to measure it.
In our annual global survey, we researched how well cybersecurity programs are aligned to business goals. We studied how 2000+ cybersecurity decision-makers around the world, in enterprises with over 500 employees, make decisions that impact their success as business enablers.
As part of the study, we took a hard look at how cyber leaders measure and communicate the impact of their efforts. We learned that while cyber decision-makers recognize that business alignment is important, they typically aren’t measuring their efforts through a business lens. Without shared metrics, cyber teams have a harder time gaining consensus for their decisions, budget for their programs, and a seat at the executive table.
In fact, 89% of survey respondents told us they suffered at least one negative impact in the past year due to lack of cybersecurity and business alignment.
Balancing technical and business metrics
The research shows that cybersecurity program performance is still primarily judged based on technical or activity-based metrics. These metrics can include the number of prevented or contained attacks, meeting compliance and auditing objectives, or whether a deployment is completed on time and on budget.
Indeed, these types of metrics are important because they provide insight into the effectiveness of security controls and allow teams to identify areas for improvement. However, they’re not the only factors that determine the success of a cybersecurity program.
Cybersecurity is ultimately about supporting strategic goals of the business. Therefore, cyber leaders must also prioritize business outcomes such as economic value, growth, revenue, cost savings, user experience, and impact on other teams.
Metrics change by company size and respondent role
The research shows that how survey respondents prioritize metrics varies by company size as well as level of responsibility.
For example, measuring overall ROI/economic value is more important to smaller companies under 1,000 employees.
It’s not surprising that leaders with broad organizational responsibility, such as CEOs/Owners, are more concerned with measuring user experience and reducing friction than CISOs are. It’s interesting to note, however, that Director levels/Departmental leaders also emphasize business metrics such as economic value/ROI.
How to incorporate business metrics in your cybersecurity program
To attain business enablement goals, cybersecurity team objectives and individual MBOs (Management by Objectives) or OKRs (Objective and Key Results) must be tied to business success and tracked on an ongoing basis.
Cybersecurity leaders can start by identifying the most critical assets and systems that need to be protected for the business to continue to operate and serve its customers and partners. Next, set metrics that measure the impact of security controls on the availability, confidentiality, and integrity of those assets.
Consider adopting a more risk-based approach to security, in which technical metrics are used in conjunction with business outcomes to inform decision-making. This would involve identifying the most significant risks to the business and then focusing resources on mitigating those risks, rather than just pursuing technical metrics for their own sake.
To achieve this vision of cybersecurity and business alignment, it’s essential to improve communication and collaboration with other parts of the organization, such as risk management, operations, product development, and sales. By working closely with these stakeholders, you’ll gain a better understanding of the business context for technical resources so you can align your activities and priorities accordingly.
Key Cybersecurity Metrics
Consider the following metrics in measuring how well cybersecurity achieves business goals:
- Risk management metrics: To measure how effective your company is at identifying and mitigating cybersecurity risks, including the frequency of incidents and response times.
- Compliance metrics: To track how well your company is meeting regulatory and industry compliance standards for cybersecurity.
- Business continuity metrics: To measure the ability of your company to maintain business operations during a cybersecurity incident, including the duration of downtime and the recovery time.
- Cost metrics: To track the cost of implementing and maintaining cybersecurity measures relative to the overall budget.
- Productivity metrics: To measure how quickly a new employee or vendor can be onboarded, provided necessary resources and access to do their job.
By using these types of metrics, you can assess the effectiveness of your cybersecurity strategy in enabling your organization to achieve business goals and make informed decisions about investments in cybersecurity resources.
Get the full results from our survey
To learn more about the current state of cybersecurity and business alignment, download the complete research report: The Impact of Business Alignment on Cybersecurity Effectiveness: Global Survey of Cybersecurity Leaders. You’ll see what 2000+ cybersecurity decision-makers said about the best organizational structures, training, and communication strategies to achieve both business and cybersecurity goals.