A Strategic Approach to Understanding and Measuring Cybersecurity Risk
- To determine which security metrics are important to measure, you must first understand your risks and define goals for addressing them.
- The human aspect of cybersecurity risk management, including awareness training and policy compliance, is especially important to measure and monitor.
“One effective method for communicating the state of your cybersecurity to the CEO is a dashboard.”
When the chief executive officer (CEO) asks you, “How much cybersecurity do we need?” Montana Williams believes the answer begins with conducting an assessment that outlines the organization’s current cybersecurity strengths, weaknesses, opportunities, and threats. According to Williams, a cybersecurity evangelist who has deep experience in the field, it’s important to identify the technical, human, and financial resources you currently have. Then, you should develop organizational goals that follow the SMART model—that is, they should be specific, measurable, achievable, realistic, and timely.