Organizations face unprecedented challenges in managing the complexity of their security posture. From the proliferation of cloud-based technologies to the ever-growing array of connected devices, security professionals are tasked with safeguarding an increasingly diverse and dynamic attack surface.Frederico Hakamine, Technology Evangelist at Axonius, joined Enterprise Security Weekly Host Adrian Sanabria during a recent SC Media webcast to explore the critical role of security metrics in navigating this complexity and driving real impact."Getting good metrics and carrying over security, meaningful security conversations with other stakeholders outside of security, is really hard," Hakamine acknowledged. "It's hard to get to the point. It's hard to get the investments we want, or it's hard to show the results that we want to show to them, even though we're doing our jobs and we can feel like it's being good and there's efficacy, it's hard to translate that."He identified three key reasons for this challenge:"The bottom line for security is that everybody picks new technologies, the marketing team, let's say engineering and product, and every company becoming a technology company, but security gets to inherit all the new toys and make sure like they are safeguarded," Hakamine explained. "We don't get to choose the variety. We get to deal with the best of breed across all the departments, across the entire organization across every single area that's touching, data processes, so that complexity grew because of this, because of technology choice versus responsibilities you're in charge of being safeguarding all that technology."Compounding this challenge is the disconnect between growing security budgets and the challenges of effectively managing the proliferation of security tools."While budget evolves, the other areas are not evolving as well, and it's creating distraction from the big picture, because security is always about a risk reward trade off like it is, almost like it's impossible to take care of all the security issues," Hakamine said.To address these challenges, he emphasized the importance of developing defensible and contextual metrics that align with business outcomes and resonate with stakeholders."Great metrics do that kind of job, they put the audience of yours in a good position to go to ask follow up questions and carry intelligent conversations," he explained.Hakamine shared examples of effective metrics, such as:By embracing a strategic and data-driven approach to security, organizations can unlock the true potential of their cybersecurity efforts and drive meaningful conversations with stakeholders. AsHakamine concluded, "If you cannot measure consistently, if you need to do excels and need to do need to do manual accounting, chances are you cannot actually do the frequency that you want. You cannot answer follow up questions so that could help you with the technology side."
- The growing complexity in security that outpaces the security staff
- The lack of a standardized cybersecurity metric framework
- The difficulty in tracking maturity with the rapid evolution of technologies and asset types
- Key risk and control indicators that help security teams communicate the value of their investments and the associated risk trade-offs.
- Leveraging frameworks like those from Gartner and ISACA to guide the development of meaningful cybersecurity metrics.
