Listening to a very interesting cyber incident report presentation from Verizon, I heard the presenter very honestly state "we have no reliable data on impact", and then it struck me!
Imagine that a Formula 1 team that published data on how many crashes they had during the season, with very detailed root cause analysis of each and every one of the crashes; totally ignoring the teams race results, e.g. how many times they won a race, or the position they achieved in a race.
Omitting any data on the impact of the crashes on the car in question.
Their analysis might also detail the effectiveness of the different controls that could have mitigated the different types of crashes.
Such a Formula One team might valuably ask the questions:
How might we link the value of crash avoidance to our final podium position?
How might we link the impact of controls on our final podium position?
For every member of a Formula One team knows the important measure is Podium Position, achieved by consistently attaining the fastest lap times.
In the Infosec world, our maturity in this space is still quite limited. Incident reports are by their very nature very Anti-Clockwise. How can we connect the analysis of this data to the positive outcomes desired by our business or better our customers? For after all the important measurements should always start with the customer's needs and desires.
Imagine that in a bank a positive correlation is made between the implementation of a control and the reduction in customer longevity.
A security control that is helping to retain customers.... Hoozah!
Developing a Clockwise Security mind-set starts with fully understanding the key business measures of success.
What is that measure in your industry?
Perhaps more importantly how do you customers measure success?