Last updated February 15th, 2023 by Eitan Satmary
Insights from Jess Burn, Forrester S&RM Senior Analyst
On August 17th Jess Burn, a senior security and risk management analyst with Forrester shared with the Tufin community her insights regarding Zero Trust metrics, specifically focusing on how to identify the metrics that matter. Jess has spoken with over 500 CISO’s in the last 2 years, exploring the challenges they are facing and what strategies have driven solutions. The most common initial frustrations voiced to her has been that many CISO’s feel their metrics are broken, or are unaligned with the zero trust methodology they aim to achieve.
The Challenge – A New Audience: The Board of Directors
Over the last two years the audience for security metrics has changed. Historically CISO’s would typically develop 1-2 slides for a CIO to present to the board. With headline-grabbing breaches the CIO is now a critical part of any board presentation, and board members need to understand what is being presented to them. They need to understand what decisions are required to gauge the security risk to the organization, the potential impact on the business, and progress related to the mitigation efforts. They need to know if and how the security risks are defined and mitigated.
A Summary of the Solution: Actionable Metrics
Good metrics must lead to decisions and be tailored to the audience. Jess recommends that organizations organize their metrics around three different audiences: strategic, operational and tactical audiences. A strategic audience is typically comprised of the board or senior management and will include metrics that reflect the current security posture (maturity level), the business impact of risk, how risks effect business decisions and links with corporate strategy. Operational metrics are designed for counterparts in an organization and provide an overview of performance and relationships across the organization. Some examples of operational metrics can be seen in the figure below.
Screenshot from webinar – examples of operational zero trust metrics.
The last category of audience is those that need tactical metrics, metrics that drive the activities of a security team.
Furthermore, for metrics to transform current inputs into actionable insights, they need to look at prior actions, current state, and future states. Leading metrics forecast what is coming, lagging metrics demonstrate past trends and progressions, and coincident metrics reflect the current state.
By aligning metrics with the audience and risk posture, and then ensuring they are actionable, CIO’s can reassure their board that they are managing the organization’s risks, as well as meeting the needs of their management, and their team. To learn more and see examples of strategic, operational and tactical scorecards, please watch the webinar recording, Forrester Interview: The Zero Trust Metrics That Matter.