2024 Gartner®,
Four Steps to Develop Outcome-Driven Metrics for Cybersecurity
CybSafe is proud to bring you cutting-edge research in cybersecurity.
We’re spotlighting a landmark framework: 2024 Gartner®, Four Steps to Develop Outcome-Driven Metrics for Cybersecurity.
Report overview
We think this report is for CIOs, security leaders, and anyone with an interest in developing and deploying cybersecurity metrics – including using phishing click rates to demonstrate business value.
According to Gartner, “Senior business executives and boards of directors are increasingly seeking assurance that the organization’s cybersecurity capabilities are appropriate and delivering the outcomes expected.”
“A good metric should inform decision-making, align with business outcomes, and guide priorities and investments,” they add. However, many common cybersecurity metrics cannot do these things—so what’s the alternative?
Outcome-driven metrics, or ODMs, address these limitations. They have, Gartner points out, “a direct line of sight to the operational outcomes of investment and to the level of protection delivered in a business context.”
According to Gartner, by using ODMs “CIOs can more effectively drive priorities and investments that balance the need to protect the business with the need to run it.”
Rich in examples, evidence and guidance, this report’s four-step approach equips security leaders to have clear conversations with executives about the value of security investments.
Gartner®, Four Steps to Develop Outcome-Driven Metrics for Cybersecurity, by Paul Proctor, Shruthi Shankel, Emily Tan, Richard Addiscott, Paul Furtado, Christopher Mixter, 27 September 2024.
Report highlights
“Good ODMs … measure protection levels, they support direct investment to change protection levels and they are explainable to executives with no technical background.”
“A cybersecurity ODM is a metric that acts as both a protection level and a value lever. This means the metric reflects how well an organization is protected, not how it is protected.”
“Cybersecurity metrics are typically backward-looking, operational metrics that do not support decision making for priorities and investments.”
“ODMs simultaneously reflect protection levels and value for investment. Benchmarked ODMs create peer comparisons to guide defensible cyber investments.”
Source: Four Steps to Develop Outcome-Driven Metrics for Cybersecurity, by Paul Proctor, Shruthi Shankel, Emily Tan, Richard Addiscott, Paul Furtado, Christopher Mixter, 27 September 2024.
Disclaimer: GARTNER® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner Peer Insights TM content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, not do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability of fitness for a particular purpose.