Last week, I joined several prominent business leaders from around the world in Davos, Switzerland for the inaugural Cyber Future Dialogue presented by SINET and the Cyber Future Foundation. Just steps away from the World Economic Forum annual meeting, the mission for this dialogue was to establish a set of guiding principles to address current cybersecurity challenges and to drive actions and measures that will help us leverage cybersecurity’s potential.
I joined a panel of cyber chiefs from large financial, telecommunications, and pharmaceutical corporations in insightful discussion on how to measure, monitor, and manage cyber risk for organizations. During the panel, I discussed the fact that every other part of a business has relevant key performance indicators (KPIs) for success, but this is not the case for cybersecurity. Reporting activity is different from measuring performance. Why is our industry the exception? As a trusted advisor to some of the largest and most demanding enterprises worldwide, I believe that there are better ways to measure the success of cybersecurity programs.
One of the biggest challenges facing organizations around the globe is the fact that they have little to no hard data to understand their exposure to threats and overall cybersecurity risk. The most common KPIs organizations use to measure cybersecurity are not directly related to how successful a cybersecurity program is. In most cases, these KPIs aren’t really Key Performance Indicators; they report that work is getting completed (e.g., patches are being applied, incidents are being remediated, etc.), but they aren’t good predictors of outcomes.
In cybersecurity, everything moves fast—threats, protection, cybercriminals, threat campaigns. The 2018 World Economic Global Risk Report released last week cites cyberattacks as being among the global risks of highest concern to business leaders in advanced economies. According to the risk perception survey that underpins this report, cyberattacks are ranked third among the top five risks in terms of likelihood, and they are viewed by the wider risk community as the risk most likely to intensify in 2018. I believe that if we change the way we measure the success of our cybersecurity programs, we can move away from the current state of fear, uncertainty, and doubt (FUD), and toward a more positive culture that focuses on meaningful business outcomes.
While the discussions that took place in Davos this week were only the beginning of many dialogues to address pressing cybersecurity issues, they were a positive step forward toward a data-driven approach to cybersecurity.