What are outcome-driven metrics?
Outcome-driven Metrics measure the effectiveness of technology investments in terms of both operational performance and desired business benefits. The intent of ODMs is to expand understanding beyond the performance of any given technology to understanding how it supports the business outcomes that are dependent on it.
What are the benefits of outcome-driven metrics?
Security teams implementing ODMs realize the following tangible benefits:
- Evidence-Based Prioritization – Organizations often struggle to prioritize initiatives that are based on subjectivity. This is especially true when the perceived value of a technology or program are too technical to be understood at a cross-departmental level. By using objective measurement, security leaders are able to show the relative value of any new investment, providing an understandable framework for prioritization.
- Business-Level Context – By understanding the interrelationship between what a security team wants to achieve in the context of business-level outcomes, security investments are seen as part of a larger, more strategic, and measurable decision.
- Objective Measurement – By creating defensible metrics that have clear meaning, security teams are able to measure the value and results of their security investments in a way that is more granular than the traditional “do enough that we aren’t going to be breached”.
What are the five stages of implementing outcome-driven metrics?
The five stages of implementing outcome-driven metrics are:
- Developing Initial Business Processes and Supporting Technologies
- Identify Business Outcomes and Outcome-Driven Metrics
- Identify Risks and Dependencies
- Define ODMs
- Assess Readiness and Risk
ODM Stage One: Developing the Initial Processes and Supporting Technologies
In this stage, teams are creating a simple list of the most obvious security processes and their supporting technologies. This can be as simple as process:technologies:
- Endpoint Protection: XDR, EDR
- Vulnerability Management: Vulnerability Scanner
- Authentication: IAM, Directory Services
ODM Stage Two: Identify Business Outcomes and ODMs
For each of the business processes outlined in the first step identify an initial set of priorities and outcomes.
- Endpoint Protection: Deployment and coverage, threats identified
- Vulnerability Management: Scan frequency, scan coverage, threats identified by severity
- Authentication: Identities covered, MFA enabled
ODM Stage Three: Identify Risk and Dependencies
This stage identifies measurable dependencies on technologies, starting with the simple description of benefits derived from technologies and the business processes supported. In other words, what breaks if the technology fails?
In security, a good example would be if an IAM technology were to become available. An outage in an IAM tool could mean that employees, customers, and partners cannot access core business resources, resulting in revenue loss. Additionally, employees may resort to using personal machines, non-sanctioned software, and other methods just to get their work done.
ODM Stage Four: Define Security ODMs
In this stage, security teams must define the metrics that determine their security stack’s ability and readiness to support the desired business outcome. Examples could include:
- Vulnerability Scan Frequency
- Mean Time to Detection
- Patch Frequency
- Mean Time to Inventory
- Overall Threat Exposure Metrics
The purpose here is to set a baseline set of indicators that can judge both performance and identify potential issues that could negatively impact other business outcomes if left unaddressed.
ODM Stage Five: Assess the Security Stack’s Readiness as Business Risk
The fifth and final stage in ODM development looks at the state of the security stack and its ability to support dependent business processes and outcomes. In our above IAM example, what contingencies are in place in the case where the IAM provider is not available? What other plans, technologies, and communications would be triggered to ensure business availability in the absence of the main technology? And given that answer, how much of a disruption would there be in making the (temporary) switch?
How can Nagomi help teams with outcome-driven metrics?
One of Nagomi’s significant use cases involves effectively communicating changes, gaps, improvements, and overall performance of a security program in a manner understandable to non-technical audiences. Nagomi offers out-of-the-box reporting capabilities that are fully customizable in terms of language and granularity, catering to how organizations present and report on their security programs. By heavily focusing on contextualizing and integrating telemetry from the environment through security tools APIs, we can frame conversations for the Board in their language of security. Nagomi is diligently expanding the scope of contextualization it provides, enabling security leaders to swiftly and effectively grasp gaps within their organizations, identify necessary actions for resolution, evaluate ROI implications, and assess direct cost impacts.
Nagomi helps cybersecurity teams make their security tools more effective against real-world threats. By connecting to the tools that customers already have, the Nagomi Proactive Defense Platform maps threats like ransomware, phishing, and insider threat to specific campaigns, then analyzes defenses to provide prescriptive, evidence-based remediation plans to reduce risk and maximize ROI.