Effective Metrics for CyberSecurity Enterprise Risk Management
Cybersecurity threats are a significant enterprise risk and should be governed with the same rigor and discipline as other corporate risks. Effective governance depends upon robust and accurate metrics, which are often difficult to gather for cybersecurity. Organizations face the business problem of managing the mitigation of cybersecurity risk. Actual mitigation of the risk is done by many people performing detailed technical and human resource tasks. It is difficult to translate all the detailed activity into summarized metrics that are meaningful for the CEO and Board.
Due to the complexities of Cyber threat mitigation, organizations struggle with proactively identifying the cybersecurity metrics that they need for effective governance. Often the metrics are summarized surveys of opinions on the state of cybersecurity in the organization, instead of an analysis of actual detailed performance data.
A standards-based approach provides guidance on the metrics needed for cybersecurity risk identification and mitigation.