Cybersecurity Metrics - A Data-Driven Framework for the Board of Directors, the C-Suite, and the CISO

This IDC Perspective details a framework for cybersecurity metrics that enables effective data-driven leadership. Cybersecurity has grown up. Once the dominion of the hoodie-wearing basement dwellers, the topic has elevated to the C-suite and beyond. In essence, cyber-risk equals business risk. Just as revenue and expense information is shared at all levels of the organization, there is a need to share information on the effectiveness and efficiency of cybersecurity with operations, management, and corporate governance.Cybersecurity metrics are extremely misunderstood. This confusion has much to do with how cybersecurity has evolved and matured over the past 40 years. What is needed are metrics derived from a consolidated intelligence repository in the form of language that communicates risk likelihood versus impact to the business, whether financial or otherwise. Today's environment calls for a capability to collect rich contextual information that provides not only metrics and statistics but additional risk and compliance insights and themes across the cybersecurity program to aid in both strategic and tactical management, known as data-driven metrics.GRC platforms can provide data-driven metrics leveraging a rich consolidated repository of internal and external business, IT, and cybersecurity contextual intelligence. Through automation, machine learning (ML), and AI, GRC platforms of today can utilize and enhance findings through an integrated repository of internal and external contextual business, IT, and cybersecurity intelligence fabric."Possessing a rich contextual set of intelligence data dramatically enhances cybersecurity leadership based upon accurate and consolidated data and insights that can address any level of management throughout an organization," says Philip Harris, research director, Governance, Risk, and Compliance Services at IDC. "It is critical more so now than ever for executive management and board members to have a complete picture of the risk and compliance posture for their organization and drive decisions based upon objective and accurate information."