Summary
Information security programs have struggled with legitimacy with senior leaders for a long time. There are many reasons for this, but the root cause is the historical inability of CISOs to explain the business impact of information security, the risks facing the firm in business terms, and the business value of the information security organization. Senior leaders ask CISOs four questions: 1) Are we any more secure this year than last year? 2) Are we spending the right amount on information security? 3) Is cybersecurity contributing to the strategic and tactical objectives of the organization? and 4) Is cybersecurity protecting the interests of our customers? The right security metrics can help answer these questions and do more. For example, your team can harness the intelligence in log and event data to profile the firm's vulnerabilities, compare those vulnerabilities with potential attacks, and prioritize the appropriate defensive measures. Security metrics used in this way have the ability to enhance security decision-making. This report proposes a practical approach to metric selection that improves security posture and increases business alignment. This is an update of a previously published report; Forrester reviews and updates it periodically for continued relevance and accuracy.
- Stay ahead of changing market and customer dynamics with the latest insights.
- Partner with expert analysts to make progress on your top initiatives.
- Get answers from trusted research using Izola, Forrester's genAI tool.