Security Metrics Are About People And Money
- If you want the CEO to understand the importance of security investments, frame the message in a language he or she understands, by providing metrics, real-world examples, and monetary results.
- Educating both senior management and network users on the threats the network faces is one of the most efficient ways to ensure their cooperation in protecting the network.
“I present our current security posture by showing that we haven’t had any major security breaches, and we have had no money loss since we hardened the core network.”
When Istvan Rabai came to Signalhorn, security had not previously been an area of focus. As a result, he had a lot to do to harden the company network and secure corporate digital assets. To overcome the awareness challenges, Rabai needed to determine how best to frame the importance of security in a language that the C-suite would understand. “The CISO (chief information security officer) might be interested in technical measures—say, the number and priority of relevant vulnerabilities or the number of infected PCs,” he says. “For a CEO (chief executive officer), these numbers do not mean anything. The CEO wants to see how much return on investment he or she will get.”