Top 3 Challenges with Measuring Cybersecurity

The 10 Most Futuristic Business Leaders Pioneering Innovation, 2020


Where does cybersecurity meet the bottom-line?

Phil Cracknell

The Covid-19 pandemic has left the world far more digitally connected than it was ever before. The demand for digital infrastructure has skyrocketed overnight as businesses struggle to operate despite massive office shutdowns. The sudden change in infrastructure has also opened a Pandora’s box of challenges for cybersecurity and executive teams. Given limited resources, the ability to measure cybersecurity performance is of paramount importance and CISOs are being asked to demonstrate cybersecurity effectiveness to further drive investment decisions.

Measuring cybersecurity effectiveness is hard; speaking the language of the board can be harder. Here are some major pain points for cybersecurity teams when measuring and reporting cybersecurity:

Lack of a quantification method

The biggest challenge in measuring and reporting cybersecurity is that performance metrics are tied to the technology itself and don’t really tell us how good our security is. A typical CSO will spend several hours each month creating a board deck that covers how many viruses were stopped, how many hacking attempts were made, etc. – reports that are usually extracted from tech tools. While these metrics certainly indicate that technology is performing they seldom show how secure we are or how effective our entire cybersecurity posture is.

Lack of consistency in reporting

In the finance industry, for example, a CFO can talk with any other CFO in the common language of EBITDA (earnings before interest, taxes, depreciation and amortization). There is a uniform and consistent way of measuring it — and the board understands it. This is exactly what the cybersecurity industry is lacking:  a uniform way of reporting that is technologically agnostic. In its current form, if the CSO decides to change technology it will immediately alter performance metrics. It’s also difficult to gauge performance over time as parameters of security effectiveness may have altered with time.  Combine that with rapidly expanding risk and threat landscapes and the reporting problem is greatly compounded.

Limited visibility into known unknowns

With the pandemic accelerating remote work and BYOD practices, shadow IT  creeps in more aggressively.  We have limited understanding, visibility and control over the unauthorized apps and software that remote workers are using. Obviously, we have several personal devices lurking on our network, accessing our applications and using our data, but we don’t know how many there are. We don’t know who is connecting to our network using unsecured WiFi or whether these home devices have enough security in place. With 64% of employees working remotely, lack of visibility is a big concern. Bottom-line is that if you don’t have full coverage or visibility into your own network or the cloud, and if you are unable to report on those invisible devices and  and individuals going directly to cloud services, how can you justify spending on security? One errant device can compromise an entire security operation.

Bridging the security gap with app and desktop virtualization

App and desktop virtualization (VDI) are a set of technologies that has transformed the traditional security approach of protecting endpoints. Remote workers simply sign-in to a virtual desktop that provides access to applications on-demand per their work profiles, regardless of the device they sign-in from and without having to worry about security – because protection is integrated.

  • Protects the contents not the containers

There are no endpoints to identify with desktop virtualization (only sessions) and all data is hosted centrally. Hence, security can be managed more simply and effectively in a single location rather than in thousands of different locations across the organization and beyond. Workers are free to do their work as they want while the cybersecurity team worries about security. It doesn’t matter what device you’ve got, because the device itself doesn’t store or process any data or applications.

  • Provides complete visibility into applications and control over known unknowns

Since users only access a virtual instance of the desktop containing authorized applications, IT teams no longer need to worry about shadow IT or personal devices or unsecure WiFi or cloud apps or any other known unknowns. They have complete control and visibility into the entire technology environment, dramatically improving one’s security posture.

  • Helps simplify complex cybersecurity quantification

Desktop virtualization solutions like Citrix provide continuous monitoring of the threat landscape and offer a view on risk assessment and security analytics that can be reported to the C-suite. The platform integrates with risk indicators from third-party tools like Microsoft Graph, providing user risk scores that can help give an overview of a company’s cybersecurity posture.

Common framework for metrics is available but much is still to be done

One of the key challenges the cybersecurity industry faces today is the lack of agreed upon measures that can be applied across organizations. The Metrics Project is one such effort where leading CISOs have gotten together to provide guidance on standardized cybersecurity reporting. The National Association of Corporate Directors (NACD), has recently published guidance or principles that board members can follow to get an oversight on cyber-risk. Several leading enterprises also follow guidance provided by the NIST cybersecurity framework, Cobit Framework or CIS Top 20 CSC although experts argue that compliance does not equal to cybersecurity.

Whatever your approach is, assessing cyber-risk is more than just presentation and metrics. Don’t start by investing in the technology first and then using that technology to manage expectations of the board. Start by setting the right business expectations in place and then work backwards by investing in the right security platform that not only is secure by design but also enables you to get the oversight and context that resonates with the board.

About the Author

Phil Cracknell, an independent cybersecurity consultant, has held eight CISO roles across multiple industries in his 30-year security career. He was cybersecurity SME for the UK government’s Cabinet Office and in 2015 was voted Cyber Security Personality of the Year. A frequent keynote speaker, he has made several mainstream media appearances on BBC News, Sky TV, and oft quoted in national and industry press. He can be reached at Linkedin: