The changing attack surface and increasing cyber attacks means the board of directors of a company has their fiduciary liability expanded to include intellectual property, customer, and employee information, and other sensitive information. In order to execute on these responsibilities, the board needs to know the security leadership has a plan in place for protecting critical business assets. CISOs have long used operational metrics like MTTD (mean time to detect), MTTR (mean time to respond), etc., to measure the effectiveness of their security programs.
Analyst firm Gartner Research predicts that by 2025, 40% of boards of directors will include a focused cybersecurity committee overseen by an experienced board member, up from 10% today. Security leaders have an opportunity to own the narrative right now, and setting the standards will yield benefits for the SOC in years to come. In order to manage risk correctly, security leaders need to clearly communicate the probability of an event occurring and the severity of impact if it occurs.
Answering performance questions correctly using the language of cybersecurity risk, the right amount of education can be the key to unlocking more budget and resources to protect and defend the organization.
4 Tips for Effective Cybersecurity Reporting
- Discuss Business Outcomes, Not Tech
The board doesn’t have time to listen to lengthy explanations or tangents. They don’t want to unravel complex situations or ideas. They want quick, digestible, easy to understand facts, backed by actionable data. When reporting on the Security Operations program, it’s best to use simple, concise, relevant information and examples to demonstrate the program’s status and recommendations to improve. There’s no need to complicate things, when it’s the business outcomes that matter most for everyone at the table.
- Provide Context with Cybersecurity Metrics
In addition to keeping it high-level, it’s helpful to create a narrative to tell the story with the report. Relying on numbers alone might not drive home the point to people who don’t really understand what the numbers represent anyway. Rather, providing context with the key metrics builds trust as stakeholders get up to speed. One story could outline why the time it took to respond to an incident increased and noting the ways to shorten response time and strengthen the program overall. This story can demonstrate how less staff dealing with an increasing number of threats increases cybersecurity risk.
- Explain “Why” with Metrics to Sell Budget Requests
Executives don’t like to increase budgets or spend more money unless they feel like they have a solid understanding of why. When reporting on cybersecurity, especially if you’re asking for a budget increase, explain why certain metrics were impacted, why an increase in budget is needed or why a new program should be implemented.
- Use Risk Management Terminology with Executives
Before the meeting with the Board, it’s critical to know their risk appetite. If they’re unaware that security is a risk to manage, a modified approach can help get the conversation moving in the right direction with regard to security. These reports do not necessarily have to go into extreme detail to demonstrate the risk the organization is facing. If the cyber risk reports are just a bunch of numbers or provide little to no clear guidance, executives may get overwhelmed and tune out. If the Board cannot communicate their risk tolerance on any of the report’s recommendations, the report needs more work.
What Metrics Should You Use in Cybersecurity Reporting?
Finding the right metrics for cybersecurity reporting comes down to knowing the story and requests being made. Focusing on the most relevant metrics helps the in-house team stay focused on overall progress, and also helps establish a baseline of understanding with cross-functional stakeholders and executives. Knowing how the SOC matters to them and the overall business is key. As stakeholders learn more about security operations, the security leader can incorporate other strategic metrics to provide additional context to the technical metrics.
Here are the top metrics to consider leveraging to measure the detection and response functions in the Security Operations Center:
Mean Time to Acknowledge (MTTA)
MTTA = Alert Assignment Time / Alert Time
MTTA is the amount of time that elapses between when your system identifies an incident and when your team begins their response. You get this metric by adding up the total amount of a time for a given period and dividing it by the number of incidents. MTTA is used to optimize triaging issues, identify issues in assignments and responsibilities and set clear expectations.
The mean time to acknowledge a security event that requires investigation by a Security Analyst on the provider’s team. Since this event could be a human observation, and is not always an alert in a system, there may be times when this metric will not always be captured by a system and needs to be manually captured by the observer.
Mean Time to Contain (MTTC)
MTTC = MTTD + MTTA + MTTR / Total # of Incidents in a given time period
MTTC is the combination of MTTD, MTTA and MTTR. This metric gives you a holistic view of your response times and capabilities to gauge your posture’s overall health. To get MTTC, add together all the time it takes to detect, acknowledge, and resolve an incident for a given time period and divide that total by the number of incidents for the same time period.
Categorizing Metrics by Criticality and Priority
When reporting metrics, it’s good to rank any findings by criticality and priority (critical, high, medium, low). This helps communicate the relevance of proposed initiatives and budget increases to cross-functional stakeholders. Using a risk management approach, metrics can make the case for deployment of new technology to replace legacy systems, or explain the financial impacts of major security events, such as the Exchange Zero Day, etc, to non-technical leaders involved. These insights help the reports establish the baseline from which to discuss risk tolerance and cybersecurity solutions with executive leadership.
SOC metrics are only one piece of the cybersecurity risk management puzzle. As these metrics improve over time, savvy security leaders focus on reducing threats that are the most (financially) impactful within the risk management equation. For example, implementing network segmentation and ZTNA like solutions can impactfully reduce the security risk due to flat networks.
Strengthening Security Operations with the Right MDR Provider
When it’s time to consider how a trusted managed security services provider can help, consider Deepwatch’s suite of managed security solutions. From performance tracking to managing metrics, data, and 24/7/365 security monitoring, Deepwatch can help you mitigate your cybersecurity risks now and measure gains in your Security Operations metrics over time.
Contact Us today for a meeting with a Deepwatch Security Solutions Architect. One of our experts can work with you to gather your requirements as you develop your budget for the Security Operations program with a MDR provider. With Deepwatch MDR, you can have a team of security experts who extend your team, and help you demonstrate progress with measurable results to report upline to board executives and leadership teams.