If you cannot measure it, you cannot improve it. I’m not sure who said it, but boy is it true. Between working full-time and grad school part-time, I’m always thinking about time. It is, by far, my most expensive commodity. When I first started grad school, my Success Coach (yes, that’s a thing) had me break my day into 30-minute blocks to see where I could shave off a few minutes to be more efficient and effective. For example, making coffee at home versus a Starbucks run or ordering grocery delivery over running to the store. At first, I rolled my eyes at the exercise, but it actually proved beneficial. I noticed I was spending too much time mindlessly scrolling on my phone in the morning and at night. Since then, I’ve put in parameters to stop this habit, and as it turns out, I’ve decreased my phone usage time week over week (thank you, Apple report!) since doing this exercise. Having a stake in the ground of where you’re starting, so you can gauge success and tweak it along the way is so important.
While listening to this week’s Reimagining Cyber podcast episode, Measuring Cyber Resilience, over my homebrewed coffee, Nadya Bartol, current Managing Director at BCG Platinion, an arm of the Boston Consulting Group, reiterates the importance of measuring cyber success and reminds us that the metrics used to manage the domain under the CISO’s control will be different than those used to communicate to the executive team and board members.
“The metrics that CISO’s use that are good metrics and are a variety of things, some folks find maturity assessments actually useful, some find different statistics compiled out of a variety of tools useful, some folks find a combination useful, some folks find tagging metrics to a framework useful. It almost doesn’t matter. If it makes sense to the CISO and the executive team, and they use those to make things better and make improvement.”
Bartol dives deeper into measurement and recommends looking at trends and percentages and then finding out what is measurable and meaningful. Remember to think like a CISO. What will be meaningful to him/her? What changes can be made based on these metrics? Defining your thresholds (stake in the ground) for your cyber resilience metrics is key, she says.
“Learning how good times and thresholds – how long does it take to fill in the blank, patch the hole, etc. We first have to define ‘good’ risk appetite and tolerance. For resilience, if you want to respond within four hours, that’s my threshold. [Then you] measure against four. Over four is bad. Under four is good. How bad is six versus 24? Make thoughtful decisions, based on risk quantifications that an organization defines what is good/bad resilience, and then look at trends.”
As I look at my “thresholds” and define my table-stakes I’ll take these recommendations into consideration. Maybe I can even get my average weekly time down on my phone even further! What about you? What are your table stakes/thresholds? What changes will you make to meet those goals? Share them below. We can keep each other accountable.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberResilient.com.