Few words on businss metrics for IT Security
“If you cannot measure it, you cannot improve it” – these are the words quoted in many managerial trainings. Over time, these have evolved into “If you can’t measure it, you can’t manage it.” Business is based on metrics – financial results, target achievement percentage, number of employees, customer satisfaction level, number of clicks on the website. Numbers are the common language of all departments. And that’s why nowadays, in order to protect business, you need to speak the language of business – the numerical lanugage.
The last decade has seen a growing, sometimes reluctantly, recognition of this fact by security professionals. The question of many security professionals is, “What business metrics should I know?” Each organization may have its own unique key metrics (KPIs) that must be considered. But some metrics are relevant to any business and we focus on those here.
Simply put, the productivity calculation is simple:Difficulty usually arises in deciding what exactly constitutes a “unit of input”. Capital, labor, and materials have to be considered, and the question of whether the most accurate answer comes from weighing everything evenly or applying different weights to different parts of the whole. Answers to such questions are the subject of countless hearings, reports, and books. So don’t panic 😊
Security professionals should know that the cost of security will be part of the “input unit” – indirect costs (not directly related to the manufacture of the product). This is a fact that will be clarified each year in the budget period.
It may be less obvious that an operational performance metric may be useful for security. Determining the output unit, whether it’s blocked attacks or disrupted data exfiltration attempts, and then calculating the input units can help security teams know if they are acting as effectively as possible within your resource constraints. They can then use that information when discussing budgets and processes with the rest of the company.
Customer loyalty and churn rate
Customer loyalty is crucial for one simple reason: It is much cheaper to take an order from an existing customer than to go out and find a new customer. Put in a different context, replacing lost customers is not growth, adding new customers while retaining old customers. Why is this relevant for cybersecurity?
Security plays a key role in customer retention – a role that has two meanings. First, securing web applications and keeping PII information secure often causes “cracks”- delay in transactions, and in today’s online world, customers hate delays. At the same time, research shows that customers now value security over convenience in web applications. What they really want is invisible security. The method of delivery will be of paramount importance in keeping the customers in your business. Being able to talk about your work in these categories will greatly improve your collaboration with commercial and marketing groups.
Knowing the number of customer churns can also be useful when it comes to predicting network and security requirements. More importantly, it can be the gauge that drives the collaboration between security, sales, and marketing to make sure security has minimal impact on customer loss as part of overall churn.
Gross margin is one of the numbers that CEOs and heads of business units usually know the same way they know their own addresses and the names of their children. This is a fairly simple number to calculate: subtract the cost of the goods sold from the total sales revenue, then divide that number by the total sales revenue – yes, the total sales revenue is used twice. You get the percentage and you want it to be as high as possible. This is a critical number for cybersecurity as all kinds of security are part of the “cost of goods sold”. In general, business leaders try to keep this number as low as possible because the smaller it is, the better the gross margin will be.
Since security is an expense, it will be important to demonstrate that cybersecurity is maximized within budget. Once cybersecurity managers understand where the gross margin is coming from and what their contribution is to the calculations, they can have much more productive conversations with business leaders elsewhere in the company.
Number of hours in the process
In many aspects of modern companies, human labor – service is the main component of the cost of goods sold. Therefore, it is important to understand how many hours a process takes and why security may play an unexpected role in this indicator.
How many hours does it take to secure a web application? Security managers are often asked to let management know how many hours have been spent fixing a break-in or breach, but how many hours will it take to prevent such intrusions or violations? What business process are these hours assigned to? Business leaders need to know the answers to these questions in order to accurately calculate the cost of goods sold.
These are also the kinds of questions that security managers must answer when assessing whether their security processes are efficient and effective. In the security field, it is often considered sufficient to measure effectiveness, but answers to performance questions will help you better integrate security and IT security itself with the rest of your organization.
Net Promoter Score
Lead conversion rate
Leads are important, existing customers are critical. A company’s success in converting the former into the latter is measured by the conversion rate from potential customers to customers.
In the classic internal and external sales team sales model and weekly sales reports, sales managers can see the number of phone calls or on-site visits, the number of new leads, and the number of new sales conversions. They are still important, but for consumer organizations, the question is how many visitors to a website become actual customers.
As part of your overall conversion rate for safety, it’s important to see where your prospects are dropping out of the process. When it comes to registration or authentication in the ordering process, it is a critical indicator that there is something wrong with the security of the site. Be sensitive to this data, make sure security isn’t responsible for lowering the stakes, and you’ll keep marketing in your corner when it comes to budget and project meetings.
It is impossible not to notice that the above-mentioned indicators relate to sales, marketing and customers. It is worth recalling the main purpose of the company’s existence – generating value for owners / shareholders.
At the end of the day, it is the profit generated that allows you to finance development and investments, pay employees, suppliers and pay off arrears. Summarizing security cannot limit business, as the effect may be analogical to a cyber attack.