Security starts with visibility. Great, I see some trending data but is that good or bad?
You can't manage what you can't measure. Is what we are doing effective? Is what we're doing even useful?
We've all heard these nuggets of wisdom before. And yet with the ever increasing pace of change, complexity, and demands of daily life, it's easy to get stuck in the weeds and neglect metrics and reporting.
Without good metrics, how do we know if we're doing a good job? Without good metrics, how do we justify our time and investment in a product or service? How can we demonstrate that we need more resources such as budget or staff? Worst of all, without meaningful metrics, how do our businesses understand and recognize the value cybersecurity?
So what metrics should we report? The number of blocked network threats is always good eye candy, and so is the number of rejected emails. Do any of these matter to the business? Maybe, if the blocked network traffic negatively impacted a business function. The same goes for blocking emails. These might be more useful to performance management than cybersecurity; so what to do?
Follow our #MetricsMonday series, where we explore cybersecurity metrics with the aim to develop a set of meaningful metrics that directly map to cybersecurity and most importantly, to business outcomes.
So welcome aboard, we're glad you're here.
Image Source: Adobe Firefly Generative AI