Christian Léger, Consulting Services Director, Security
, October 17, 2024
Share this article

Cyberthreats continue to loom over businesses today, with malicious actors seemingly lurking around every corner. And it’s not just the stuff of nightmares - according to Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technologies, the annual average cost of cybercrime is projected to reach $23 trillion by 2027.

Businesses can no longer rely on the traditional methods of tracking cybersecurity incidents, vulnerability counts, or processed security alerts, to develop a true picture of their defense. Increasingly, CIOs are turning to outcome-driven metrics to measure cybersecurity program success, and to effectively communicate the importance and value of their work to fellow C-Level executives and the board. Think of it like measuring fitness. Instead of just tracking your steps (input), you’d start tracking quality of sleep or waist size (desired outcomes) to get a more complete picture of your fitness.

According to Gartner, cybersecurity outcome-driven metrics are one of the top cybersecurity trends for 2024. They link security and risk operational metrics to the business outcomes they support. They provide a more accurate picture of the success of cybersecurity capabilities and investments in achieving desired outcomes. Outcome-driven metrics underscore the idea that cybersecurity is no longer just an IT concern; it’s a cornerstone of business continuity, brand reputation, and customer trust. Outcome-driven metrics define and track Key Performance Indicators (KPIs) that are aligned with wider business goals – establishing a clear connection between security efforts and broader organizational objectives.

When building outcome-driven metrics to track against, first ask yourself these questions: 

What metrics align with business objectives?

This ensures that every cybersecurity initiative contributes directly to the organization’s strategic goals.

How can these metrics empower executive decision-making?

This will help you understand the current threat landscape, the effectiveness of security measures, and areas that require improvement.

Which security issues pose the greatest threats to revenue?

Some of the top issues are ransomware, unpatched systems, and social engineering.

Top four outcome-driven metrics in cybersecurity

As you work to better secure your IT stack, you need to ensure that you establish a robust incident response plan that provides quantitative data. As you look to mature your cybersecurity resiliency, these outcome-driven metrics may help you achieve the most significant improvements in business outcomes:

Mean time to detect (MTTD)

Mean time to detect measures the average time it takes to notice a security breach or threat. A shorter MTTD indicates a more effective and responsive cybersecurity monitoring system.

Mean time to respond (MTTR)

This measures the average time it takes to act once a security incident is detected. A faster MTTR is critical for minimizing the potential damage from breaches and ensuring rapid recovery and remediation.

Mean time to contain (MTTC)

MTTC focuses on how long your incident response team takes to detect an incident, acknowledge the incident, and effectively prevent a cybercriminal from doing more harm.

Security ROI

This measures the financial benefits gained from cybersecurity investments compared to costs incurred. It will give you a quantitative assessment of the effectiveness and value of cybersecurity investments.

Cybersecurity strategies resulting from outcome-driven metrics findings

Outcome-driven metrics findings can lead to the implementation of these cybersecurity strategies that help improve security posture.

Microsegmentation

This key strategy allows for the creation of secure zones in data centers and cloud environments to isolate workloads from one another and secure them individually. This approach limits the potential impact of breaches, as it confines any attack to a single segment of the network. It prevents   unauthorized lateral movement within your systems and contains ransomware, insider threat, supply chain or other cyberattacks. Microsegmentation is a key capability for maintaining compliance with data and privacy standards such as PCI, HIPAA, or GDPR.

Vulnerability scanning and management

Vulnerabilities are weaknesses in systems, platforms, infrastructure, or even people and processes that can be exploited by threat actors, rendering an entire organization or any of its parts susceptible to attack. Integrating threat and vulnerability management into security operations can streamline the process of identifying and prioritizing vulnerabilities, enabling real-time remediation and risk reduction.

SecOps investment

Security operations investment not only fortifies the response to threats but also aligns security measures with business objectives, ensuring a proactive stance on potential security incidents. Failing to invest adequately in cybersecurity could lead to non-compliance with laws and regulations like PIPEDA, or the Californian Consumer Privacy Act (CCPA) which governs how private sector organizations collect, use, and disclose personal information. Non-compliance can result in fines and penalties.

These strategies, when derived from outcome-driven metrics findings, ensure that security operations are not just reactive but also predictive, adaptive, and integrated with the overall business strategy.

ROI and cost-benefit implications of implementing an outcome-driven metrics framework

The ROI of implementing an outcome-driven metrics framework can be substantial. Outcome-driven metrics provide clarity which allows for more strategic allocation of resources, ensuring that investments are directly contributing to the business's core objectives and value proposition.

Anticipated ROI plays a crucial role in the decision-making process, as it projects the potential returns from the outcome-driven metrics framework implementation. It considers the cost savings from improved operational efficiencies, the increase in revenue from enhanced performance, and the value of intangible benefits such as customer satisfaction and brand reputation.

Cost-benefit analysis

A cost-benefit analysis of an outcome-driven metrics framework involves a comprehensive evaluation of the costs associated with its implementation against the expected benefits. This analysis considers the initial investment in technology and training, ongoing operational costs, and the potential risks involved. The benefits are measured in terms of improved technology readiness to support business outcomes, reduced failures in business processes, and enhanced ability to balance the need to protect with the need to run the business.

Implications for business strategy

The implications of an outcome-driven metrics framework extend beyond mere financial metrics. It represents a shift towards a more outcome-centric approach to technology management, fostering a closer partnership between IT and business stakeholders. This collaboration is crucial for driving technology priorities that deliver tangible business value and for navigating the complexities of digital transformation.

Outcome-driven metrics success spans industries

The implementation of outcome-driven metrics has become a cornerstone for assessing and improving security performance across many different industries.

Financial services cybersecurity considerations

In the financial sector, cybersecurity is paramount. The adoption of outcome-driven metrics allows financial services CIOs to drive priorities and investments that balance the need to protect with the need to run the business.

In a recent cyber event, according to KPMG, attackers exploited key financial services firms to create fraudulent money transfer requests, resulting in significant financial losses. The potential exposure of confidential client financial information, service outages and critical delays posed a serious threat to these financial institutions. This not only jeopardized the privacy and security of clients, but also exposed the organizations to legal and regulatory consequences. Affected organizations had to spend money and time investigating the extent of the breaches, identifying compromised data, and assessing the potential impact. They also had to invest in security measures to prevent further breaches and regain client trust.

This episode was a wake-up call for the entire financial services industry, highlighting the need for outcome-driven metrics like MTTR, MTTD, and MTTC. It also emphasized the importance of regular software updates, thorough security assessments, and comprehensive ongoing employee training.

Healthcare cyber risks

The healthcare industry faces unique challenges due to the sensitivity of personal health information and the dire consequences of data breaches. Healthcare organizations find that tracking the outcome-driven metric: number of incidents where third parties created a liability, is especially important given the 2024 cyberattack on Change Healthcare. When Change Healthcare, a major medical claims processor in the US, was attacked, medical claims processing ground to a halt for many healthcare organizations. This highlighted the overreliance of many healthcare providers on Change Healthcare for claims processing, creating a single point of failure. Faced with financial strain, many healthcare organizations were forced to take drastic measures – including staff furloughs and dipping into personal funds to meet payroll. In the wake of this incident, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third and fourth-party access to sensitive data, and identify critical vendors essential to revenue.

Supply chain threats across manufacturing and retail industries

Supply chains are increasingly becoming targets for cybercriminals, with 75% of third-party breaches targeting the software and technology supply chain, according to Splunk.

Supply chain attacks are appealing to cybercriminals because they target the complex network of relationships between organizations and their suppliers, vendors, and third-party service providers. These attacks exploit vulnerabilities that emerge due to the interconnected nature of digital supply chains, which often span multiple organizations, systems, and geographies. To combat against supply chain attacks, it’s important that organizations assess the security posture of all their vendors.

Outcome-driven metrics are the key to strategic cybersecurity management for organizations today. By focusing on the tangible results of security initiatives, outcome-driven metrics enable organizations to align their cybersecurity efforts with overarching business objectives. This shift from traditional, often quantitative metrics to outcome-based ones allows for a more strategic approach to security. It's not just about the number of firewalls or patches deployed, but how these measures reduce the incidence of cyber-attacks and enhance the organization's resilience. Moreover, outcome-driven metrics can provide a clearer picture of cybersecurity's return on investment, making it easier for CIOs and other executives to prioritize and justify security-related expenditures. Contact us today to get help with establishing outcomes-driven metrics at your organization with our cybersecurity strategic consulting services.

Share this article