In the 80s, when the organization started buying computers, buying networks, and finding infrastructure, companies recognized the importance of having a reliable resilient infrastructure, so they created an information officer. And in the 80s, they were buried under operations.

Executives quickly realized that operations is in a conflict of interest with I.T. and now wasn’t getting the information they needed. So the CIO very quickly moved up to direct reporting to the CEO. Then they created a metric that could be used to verify and validate whether the CIO was doing their job.

What is the metric of CIOs? It’s uptime availability. Five nines is typically industry standard for 99.999{eb2dd144dc077676a5023eacca2d01ef9c3f02c22330f35001e7063f427f969c} uptime availability. So now the reason why CIOs are such a mature area is because they have a clear metric with direct reporting to the CEO.

Based on many of the recent breaches we have learned that putting security under CIOs do not work. The CIO has a completely different function than a chief security officer. It becomes a communication block where the executives are not getting the information that they need. The CIO was getting it before that. But it’s time to give up the territory.

Security is a different function. It’s different than uptime availability. Those two are sometimes adverse. You could not have one person responsible for both because that’s a CEO’s decision, not the CIO’s. The decision between uptime availability and security should be made in the boardroom – not by an independent person.

The next thing we need to do is come up with the five lines of security. We need a metric that we can use to report to security. So we now need to go in and figure out what the five lines are. Now I will be honest with you I have put a lot of energy and effort into this. I do not think my answer is ready, but I don’t have anything better.

And I’ll tell you right now, it’s a lot better than the default metric that you have today. The default that that you have today for security is if you don’t have a breach, you’re doing good. Well what’s the problem with that? We’re all going to have a breach. Which means as soon as a breach occurs you lose your job.

Whenever a major breach occurs basically whoever’s responsible for security loses their job because the metric that executives were using was “no breach equals security” and “breach means failure.” Unfortunately, we’re all going to have a breach. So if that’s our metric, you need to update your resume.

The better metric is “Attempted Attacks.” I’m not saying it’s perfect but here’s the rule – you’re not allowed to say my metric is bad unless you propose something better.

Here’s what I like about “Attempted Attacks” – it’s a positive metric. It’s showing what you’re doing.

One of the metrics I hate is “Vulnerability Data” – it’s a negative metric. It’s where you go to your executives and say, “Last quarter we have 300 vulnerabilities.” Then you come back and say, “This quarter we have 280 voter numbers.” And then next quarter you say, “We have 340 vulnerabilities.” And so on. What are you doing? You are basically going to your executives every quarter and saying, “Look how much we suck.” If I was an executive, after three or four quarters what would I be thinking, “What’s my security team doing?”

We need a positive metric. “Attempted Attacks” is a positive metric.

Second thing I like about this it is data that is readily available. I’m not saying this is a complete data set that represents all the data that’s out there, but one of the ways of getting attempted attacks are dropped packet at the firewall.

That starts to give us an estimate of the number of attempted attacks that are occurring against our organization. So at least we have the starting point for a metric that now we can give to the executives. The feedback I’ve heard from my own clients is “Finally security is stepping up and defining a communication metrics that we can understand.”

For more cyber security tips, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at