A two-year survey on organizational security conducted by the AFCEA (Armed Forces Communications and Electronics Association) Cyber Committee turned in poor data and unusable results because the organizations themselves were struggling to define the measures they needed to assess their security posture.
Maryanne Lawlor filed this report in The Cyber Edge:
After analyzing the interview results, it also became clear that one of the fundamental problems in identifying security metrics is the lack of a broadly accepted definition of what they comprise. In addition, even organizations with relatively mature cybersecurity programs and robust security metrics were struggling to find the right way to communicate the organizations’ state of security to their boards of directors or senior executives, committee members agreed.
The interview results also showed that organizations often have very different security metrics programs and were more a Tower of Babel than had been initially apparent. The committee found that, regardless of the taxonomy adopted, organizations were all ultimately striving to be in a position to assess the risk of accomplishing the overall mission of the organization. It also became apparent that there was a logical maturing process for organizations as they strove to define security metrics that could accurately portray an organization’s overall security posture.
[…]
Several organizations interviewed described their security metrics effort as aligning their security metrics with mission risks. These organizations typically had implemented a set of technical compliance security measures and, in some cases the technical measures were quite extensive. However, senior management could not conclude from the technical metrics if their organizations’ security posture was sufficiently robust to meet the organizations’ overall objectives, or if the return on investment of additional resources in cybersecurity was appropriate.
The goal for these organizations then became to identify those security metrics that were most important to understanding and evaluating risks to the ability to perform their missions or their strategic objectives. Once defined, these risk-based metrics were tracked and regularly reported to senior management.
