Site Logo
BACK to News

Use the CARE framework to develop metrics that prove the credibility and defensibility of your cybersecurity program

Gartner I 10:48 am, 16th September

Cybersecurity

When an organization suffers a data breach or other cybersecurity incident, it is not judged by whether it had a low number of vulnerabilities or if it spent enough on security tools. The question is whether it did the right thing based on its budget, size and needs.

How to show you CARE about cybersecurity

In the past, cybersecurity priorities and investments were largely based on doing something to avoid an outcome. For example, you might implement a patch management tool to avoid incidents resulting from unpatched security vulnerabilities.

This is not the best course of action. Cybersecurity priorities and investments should be based on achieving a set of outcomes that are consistent, adequate, reasonable and effective (CARE). Gartner introduced CARE as a framework to help organizations assess the credibility and defensibility of their cybersecurity program.

For example, rather than simply confirming the presence of tools and processes to patch vulnerabilities, an organization should measure outcomes directly related to the level of protection, such as the number of days it takes to update critical systems with critical patches.

But because there is no industry standard set of security metrics or KPIs, every organization needs the flexibility to meet its unique circumstances.

“Ultimately, these are value judgments,” says Claude Mandy, Senior Director Analyst, Gartner. “These four characteristics embody myriad opportunities to do what is best for the organization. Use the framework to ensure your security program delivers better outcomes, not just greater spend.”

The CARE Standard for Cybersecurity

We recommend that as a security and risk management leader, you develop a catalogue of 20 to 30 CARE metrics that translate operational metrics into something easily understood by a nontechnical audience.

The following are types of security metrics to include in a dashboard to help prove to key stakeholders, such as regulators, customers and shareholders, that you met the duty of care.

Consistency Metrics 

These assess whether security controls are working consistently over time across an organization. They should be continuously updated, measured and reported weekly, monthly or quarterly to demonstrate that they remain consistent. For example: 

  • Third-party risk assessment: The security control could be coverage or the percentage of third parties with a completed risk assessment.
  • Security awareness: The control could be currency or the percentage of employees who have received phishing training in the last X months.

Adequacy Metrics 

These assess whether the controls meet business needs and stakeholder expectations. For example:

  • Achievement of patching: Percentage of assets regularly patched within a protection-level agreement (PLA)
  • Achievement of malware update PLA: Percentage of endpoints with anti-malware definitions regularly applied within PLA

Reasonableness metrics 

These prove that your security controls are appropriate, fair and moderate, as determined by their business impact and the friction they cause. For example: 

  • Delays and downtime: Average delay (in hours) when adding new access
  • Complaints: Number of complaints triggered by a particular security control

Effectiveness metrics 

These assess whether your security controls are producing the desired outcome. For example:

  • Vulnerability remediation: The control could be timeliness, such as average or maximum number of days required to remedy critical security vulnerabilities.
  • Prevalence of cloud security incidents: Number of cloud security issues per year related to cloud configuration issues

As a security and risk management leader, it’s up to you to contextualize for the audience, drill into detail for specific business units and systems, and link CARE metrics to business outcomes.


Subscribe to our Newsletters

Stay up to date with our latest news

more news

Fausse appli de rencontre utilisée dans une campagne ciblant le Pakistan, découverte par ESET Research

by ESET I 9:51 am, 29th January

ESET Research a découvert une campagne de logiciels espions Android utilisant des techniques d'escroquerie sentimentale pour cibler des individus au Pakistan.Cette campagne exploite le logiciel espion GhostChat, permettant une surveillance discrète de l'appareil, autorisant ainsi les auteurs à surveiller l'activité et à exfiltrer des données sensibles.L'enquête d'ESET a révélé d'autres activités du même auteur : une attaque avec ClickFix, qui incite les utilisateurs à exécuter du code malveillant sur leur ordinateur, et une attaque WhatsApp exploitant la fonctionnalité de connexion à l'appareil de l'appli pour accéder aux messages personnels des victimes.

Cybersecurity

load more

Info Message: By continuing to use the site, you agree to the use of cookies. Privacy Policy Accept