An increasing number of security and risk teams are using security ratings to effectively assess the impact of their security programs and communicate changes to key decision makers like the company’s board of directors. These teams know that their company needs tools that provide an objective and quantitative view of their cybersecurity performance over time, and that a continuous overview of cybersecurity metrics is critical to sound cyber-risk oversight by the board.
As a CEO, I understand the importance of establishing goals and benchmarks and the need to be able to measure performance against them over time. This is an important demand that my company’s board has of me. In turn, it is a critical demand I have of people who report to me.
As adoption of security rating services has rapidly increased across companies and industries, many customers have tied their own BitSight Security Rating, a product that my company offers to security teams, to broader business goals and initiatives. With senior leadership more involved in security and risk programs than ever before, companies are beginning to set intervals of rating improvement as the benchmark for performance-based raises and compensation. But why should they be setting these goals within the company’s performance plans?
Progress in a fast changing environment like cybersecurity isn’t absolute. Rather, it’s relative and based on a goal determined by your specific organization and its leadership and on the prevailing conditions that confront your market and your peer group. Performance should be based on progress towards that goal as well as performance relative to others you measure yourself against in other business dimensions. So how do you know what a realistic goal is for cybersecurity performance? Setting that goal is the first step, and the next is tracking that progress over time as well as understanding the context for your performance.
Observing my team’s reactions to measurement and benchmarks in all areas of the business (pipeline, conversion rates, customer satisfaction rates, and account health measurements, for instance) is a healthy lens for understanding how cybersecurity ratings are initially received, but ideally embraced over time. In the early days of a benchmark or metric there is a tendency to focus on the absoluteness and provenance of data initially, followed by healthy debate on the key indicators and what they mean. If successful, the metric or benchmark delivers a common framework for business understanding and action. Anecdotes serve to illuminate the trend rather than obscuring it.
When thinking about these security performance trends, the measurement of a security rating can help provide context for decision making. Is your company’s security performance getting better or worse? How is your security performance changing relative to the important peer groups and benchmarks for your broader business? If worse, why is that and what do we need to change or implement as a part of our remediation strategy that we might not have considered? Overall, security ratings can help organizations understand their security performance over time, provide context, and then indicate trends that show improvement and can lead to better decision making.
One way to understand security performance context and trends is through products like my company’s Cyber Risk Monitor publication. Exclusively for corporate directors, this quarterly report contains critical, timely data and insights into global cybersecurity performance and trends. Armed with this information, directors can feel more confident and prepared as they engage in discussions around cyber risk and security performance.
Security ratings are innovative because they provide a way to quantitatively measure cyber performance, but with that comes certain challenges. Learning to use the measurement to drive performance is a process that takes time but ultimately simplifies internal decision making about cyber risk management.