We need to stop measuring compliance and risk management and start measuring cybersecurity performance

In a tough regulatory climate, achieving and maintaining compliance is crucial. And in a digital environment where cyber danger lurks around every click, managing risk is critical.

Yet with all the attention shined on compliance and risk management, we tend to overlook the question of how we measure cybersecurity success. How do we evaluate whether the tools we adopted to ensure compliance are actually doing their job now? How do we quantify how well the solutions we invested in to mitigate cyber risk are actually working at this moment?

A recent Gartner report noted that technology risk and cybersecurity metrics are mostly trailing indicators of operational results – meaning that they are not useful in measuring actual cybersecurity performance. And a recent survey found that while the average global organization has 29 security monitoring solutions in place, over half of cybersecurity stakeholders don’t use them. This “tool sprawl” - the term coined to describe the over-abundance of cybersecurity tools enterprises are adopting - has brought cybersecurity professionals to the point where they have trouble telling what data is coming from where, which data is valid or relevant, and how to correlate data points across different tools and programs.

With too much focus on external validation (compliance and risk management assessments), too many tools generating too much confusing data, and not enough clarity about the actual cybersecurity benefit of many of the tools that comprise organizational cybersecurity stacks – it’s time to rethink the way we’re measuring success. It’s time to focus on cybersecurity performance and let compliance and risk management flow from successfully securing the organization and its mission-critical data – not vice versa.

 ‘Compliant’ Does Not Equal ‘Secure’

Regardless of the regulatory specifics, it’s important to remember that being fully compliant does not mean your organization is fully secure – or even partially secure. Compliance means that an organization meets the minimum security requirements for a given regulation at a given moment. Security, on the other hand, means your organization is best positioned to be protected against danger – whether operating over fully compliant or noncompliant infrastructure.

The fact is that the majority of companies that are breached are also fully compliant. So, while it’s important to prioritize, meeting regulatory stipulations is not a cybersecurity strategy. A viable security strategy must extend beyond compliance.

Risk Management is Not Sufficient

Risk management is a key piece of the cybersecurity mix. Adopting a systematic approach to management policies, procedures, and practices that identify, analyze, evaluate, monitor, and mitigate cybersecurity risks is an important organizational step.

Yet cyber risk management programs are inherently disconnected from the real-time, data-driven status of your digital ecosystem. The fact that your organization is well-positioned to check for and evaluate risk globally does not mean that you’re able to evaluate and communicate risk this minute. Quarterly risk management reports to the Board do not thwart APTs and ransomware. Risk management is important for prioritization and focus, but it is detached from actual security stack performance.

Cybersecurity Performance Management: Mind the Gap

Compliance and risk management frameworks were designed to encourage (or coerce) organizations to develop certain capabilities. However, they were not designed to assess the performance of these capabilities and instigate action according to the results.

This is the gap between compliance and risk management. Security leaders need to be able to connect the dots – understanding the bigger picture while being able to drill down to the specifics, making effective decisions and explaining them quickly and simply. 

Cybersecurity Performance Management (CPM) solutions like that developed by SeeMetrics were conceived to fill this gap. Our CPM platform enables real-time assessment of your cybersecurity stack performance in the context of compliance and risk management. This helps CISOs and other cybersecurity stakeholders streamline decision making with a risk-based but outcome-driven approach to cybersecurity assessment and management. It also offers a single source of truth and insights into the actual optimization of any cybersecurity stack right now – while at the same time helping identify, track and report on trends over time. 

The Bottom Line

To effectively reduce risk and demonstrate the value of their security programs, security stakeholders need the confidence and independence of immediate, 360-degree, drill-down visibility into their security stacks.

While strategies for compliance and risk management have a permanent and important place in cybersecurity, quantifiable CPM empowers security teams to focus on the highest-impact threats based on outcome-driven metrics, while security leaders set priorities through informed conversations about cybersecurity objectives, gaps, specific projects and actions.