Security Podcast: Measuring Cyber Resilience

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
2 0 4,165

If you cannot measure it, you cannot improve it. I’m not sure who said it, but boy is it true. Between working full-time and grad school part-time, I’m always thinking about time. It is, by far, my most expensive commodity. When I first started grad school, my Success Coach (yes, that’s a thing) had me break my day into 30-minute blocks to see where I could shave off a few minutes to be more efficient and effective. For example, making coffee at home versus a Starbucks run or ordering grocery delivery over running to the store. At first, I rolled my eyes at the exercise, but it actually proved beneficial. I noticed I was spending too much time mindlessly scrolling on my phone in the morning and at night. Since then, I’ve put in parameters to stop this habit, and as it turns out, I’ve decreased my phone usage time week over week (thank you, Apple report!) since doing this exercise. Having a stake in the ground of where you’re starting, so you can gauge success and tweak it along the way is so important.

Security Podcast Measuring Cyber Resilience.pngWhile listening to this week’s Reimagining Cyber podcast episode, Measuring Cyber Resilience, over my homebrewed coffee, Nadya Bartol, current Managing Director at BCG Platinion, an arm of the Boston Consulting Group, reiterates the importance of measuring cyber success and reminds us that the metrics used to manage the domain under the CISO’s control will be different than those used to communicate to the executive team and board members.

“The metrics that CISO’s use that are good metrics and are a variety of things, some folks find maturity assessments actually useful, some find different statistics compiled out of a variety of tools useful, some folks find a combination useful, some folks find tagging metrics to a framework useful. It almost doesn’t matter. If it makes sense to the CISO and the executive team, and they use those to make things better and make improvement.”

Bartol dives deeper into measurement and recommends looking at trends and percentages and then finding out what is measurable and meaningful. Remember to think like a CISO. What will be meaningful to him/her? What changes can be made based on these metrics? Defining your thresholds (stake in the ground) for your cyber resilience metrics is key, she says.

“Learning how good times and thresholds – how long does it take to fill in the blank, patch the hole, etc. We first have to define ‘good’ risk appetite and tolerance. For resilience, if you want to respond within four hours, that’s my threshold. [Then you] measure against four. Over four is bad. Under four is good. How bad is six versus 24? Make thoughtful decisions, based on risk quantifications that an organization defines what is good/bad resilience, and then look at trends.”

As I look at my “thresholds” and define my table-stakes I’ll take these recommendations into consideration. Maybe I can even get my average weekly time down on my phone even further! What about you? What are your table stakes/thresholds? What changes will you make to meet those goals? Share them below. We can keep each other accountable.

You can find the latest episode of Reimagining Cyber on AppleSoundcloudStitcherGoogle Play, and Spotify. Give it a listen and let me know what you think. Log in or register to comment below.

More Information:

CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.