4 Metrics That Prove Your Cybersecurity Program Works

In proposing record fines to Marriott International’s and British Airways’ parent company under Europe’s data-privacy laws, U.K. Information Commissioner Elizabeth Denham explained that the severity of fines was not related to who was impacted, but rather to the lack of appropriate action taken to protect people’s data. In issuing the much-reduced final fine, the commissioner also reportedly took “economic impact and affordability” into account.

When an organization suffers a data breach or other cybersecurity incident, it is not judged by whether it had a low number of vulnerabilities or if it spent enough on security tools. The question is whether it did the right thing based on its budget, size and needs.

Gartner predicts that within three years, 80% of the magnitude of fines imposed by regulators after a cybersecurity breach will be attributable to failures to prove the duty of due care was met rather than the impact of the breach.

Download Now: Maturing Information Security Roadmap

How to show you CARE about cybersecurity

In the past, cybersecurity priorities and investments were largely based on doing something to avoid an outcome. For example, you might implement a patch management tool to avoid incidents resulting from unpatched security vulnerabilities.

This is not the best course of action. Cybersecurity priorities and investments should be based on achieving a set of outcomes that are consistent, adequate, reasonable and effective (CARE). Gartner introduced CARE as a framework to help organizations assess the credibility and defensibility of their cybersecurity program.

For example, rather than simply confirming the presence of tools and processes to patch vulnerabilities, an organization should measure outcomes directly related to the level of protection, such as the number of days it takes to update critical systems with critical patches.

But because there is no industry standard set of security metrics or KPIs, every organization needs the flexibility to meet its unique circumstances.

“Ultimately, these are value judgments,” says Claude Mandy, Senior Director Analyst, Gartner. “These four characteristics embody myriad opportunities to do what is best for the organization. Use the framework to ensure your security program delivers better outcomes, not just greater spend.”

We recommend that as a security and risk management leader, you develop a catalogue of 20 to 30 CARE metrics that translate operational metrics into something easily understood by a nontechnical audience.

The following are types of security metrics to include in a dashboard to help prove to key stakeholders, such as regulators, customers and shareholders, that you met the duty of care.

Consistency Metrics 

These assess whether security controls are working consistently over time across an organization. They should be continuously updated, measured and reported weekly, monthly or quarterly to demonstrate that they remain consistent. For example: 

• Third-party risk assessment: The security control could be coverage or the percentage of third parties with a completed risk assessment.
• Security awareness: The control could be currency or the percentage of employees who have received phishing training in the last X months.

Adequacy Metrics 

These assess whether the controls meet business needs and stakeholder expectations. For example:

• Achievement of patching: Percentage of assets regularly patched within a protection-level agreement (PLA)
• Achievement of malware update PLA: Percentage of endpoints with anti-malware definitions regularly applied within PLA

Reasonableness metrics 

These prove that your security controls are appropriate, fair and moderate, as determined by their business impact and the friction they cause. For example: 

• Delays and downtime: Average delay (in hours) when adding new access
• Complaints: Number of complaints triggered by a particular security control

Effectiveness metrics 

These assess whether your security controls are producing the desired outcome. For example:

• Vulnerability remediation: The control could be timeliness, such as average or maximum number of days required to remedy critical security vulnerabilities.
• Prevalence of cloud security incidents: Number of cloud security issues per year related to cloud configuration issues

As a security and risk management leader, it’s up to you to contextualize for the audience, drill into detail for specific business units and systems, and link CARE metrics to business outcomes.