Cybersecurity Metrics & Analytics

It is relatively common for Governance, Risk & Compliance (GRC) professionals to encounter significant frustration with metrics and analytics discussions. This is often based on "word crimes" where someone from the organization's executive leadership team is trying to describe a "football bat" to a GRC professional (e.g., a mythical solution). This is a Garbage In / Garbage Out (GIGO) scenario where the metrics are tainted from a lack of guidance and the resulting outputs will be useless. This is all based on missing the point of metrics / analytics.

What Is The Point of Metrics & Analytics?

When executive management asks for "metrics," the general intent is to have analytics. There is a distinction that needs to be understood:

  • Metrics are discrete, point-in-time measurements; and
  • Analytics are generated from the analysis of metrics.

Analytics are designed to facilitate decision-making, evaluate performance and improve accountability through the collection, analysis and reporting of relevant performance related data.  At the end of the day, the executive leadership team wants an answer to a simple question: "Are we secure and compliant?" The point of metrics / analytics is to answer that question in a concise and professional manner. 

NIST CSF 2.0 Metrics Perspective - Cybersecurity Metrics Reporting Model (CMRM)

ComplianceForge created something unique with its Cybersecurity Metrics Reporting Model (CMRM) where it showed how to present metrics within the view of NIST CSF 2.0 functions. To answer the "Are we secure & compliant?" question, it is answered by the following six (6) sub-questions that corresped to NIST CSF 2.0 functions:

  1. GOVERN. Do we have reasonable evidence of due diligence and due care to prove we meet our obligations? 
  2. IDENTIFY. Is our security posture appropriate to meet our security requirements & mitigate risks? 
  3. PROTECT. Are we protected from reasonably-expected threats?
  4. DETECT. Do we have appropriate situational awareness to detect an incident?
  5. RESPOND. Do we have trained people and tested processes in place to respond to an incident? 
  6. RECOVER. Can we recover and sustain key business operations if an incident happened? 

cybersecurity metrics model