PUBLISHER: IDC | PRODUCT CODE: 2079494
PUBLISHER: IDC | PRODUCT CODE: 2079494
This IDC Perspective details a framework for cybersecurity metrics that enables effective data-driven leadership. Cybersecurity has matured as a discipline. Once the dominion of hoodie-wearing basement dwellers, the topic has elevated to the C-suite and beyond. In essence, cyber-risk equals business risk. Just as revenue and expense information is shared at all levels of the organization, there is a need to share information on the effectiveness and efficiency of cybersecurity with operations, management, and corporate governance.Cybersecurity metrics are extremely misunderstood. This confusion has much to do with how cybersecurity has evolved and matured over the past 40 years. What is needed are metrics derived from a consolidated intelligence repository in the form of language that communicates risk likelihood versus impact to the business, whether financial or otherwise. Today's environment calls for a capability to collect rich contextual information that provides not only metrics and statistics but additional risk and compliance insights and themes across the cybersecurity program to aid in both strategic and tactical management, known as data-driven metrics. The emergence of AI has introduced a new and urgent dimension to this challenge - reshaping the threat landscape while creating a new class of ungoverned internal risk from organizations' own AI deployments - requiring metrics frameworks that measure both dimensions with equal rigor.GRC platforms can provide data-driven metrics leveraging a rich consolidated repository of internal and external business, IT, and cybersecurity contextual intelligence. Through automation, machine learning (ML), and AI, GRC platforms today can utilize and enhance findings through an integrated repository of internal and external contextual business, IT, and cybersecurity intelligence fabric."The age of AI demands a fundamental rethink of how organizations measure cybersecurity risk. Reporting firewall blocks to boards while AI systems operate without governance or accountability is no longer acceptable. Data-driven metrics - built on a consolidated intelligence platform and extended to capture AI-specific risk at every audience level - are not just the best practice. They are a business imperative," says Philip Harris, research director, Governance, Risk, and Compliance Services, IDC.