If your role is responsible for a budget, your work ultimately revolves around one word: metrics. It is a word we often dread, because we can never seem to get it right. I live and breathe metrics in marketing, and if you are the gal or guy responsible for the fraud management or cyber security program in your organization, you will completely understand what I am about to say.
In marketing, metrics are my life as I regularly collect legions in order to create a quarterly readout to management on performance. I measure everything - sales leads generated, website visits, page views, media interviews and mentions, social media engagements, cost per lead, open rates, clickthrough rates, and impressions. The list continues from there to report on, positive feedback from analysts, the webcast with over 400 registrants, and the keynote to 100 CISOs. In the end, I get the same question every time: how did this activity contribute to the sales pipeline and help accelerate leads to closed business? I walk away wondering, "Did they understand what I just reported?" Instead, I more often feel there was a communication disconnect.
RSA has aptly named this communication disconnect the Gap of Grief. In cyber security, the Gap of Grief refers to the disconnect between IT security and executive leadership to effectively communicate the business impact of the cyber risks they face.
We all experience the gap of grief. For IT security and business executives, it is an obstacle posing a threat to a company's ability to measure the success of cyber security and fraud management and the impact of the actions taken.
First, we must acknowledge that IT security and management aren't usually looking at information from the same mindset. The security team is thinking in a technological context, whereas management is thinking in a business context. It's the same for me in marketing. My management doesn't care how many new leads I generated for the quarter. They care what percentage of those leads turned into new business.
To help understand the gap of grief faced by banks, retailers and card issuers, RSA, through sponsored research with Javelin Strategy & Research, set out to understand what key performance indicators (KPIs) each of these businesses use to effectively analyze how a specified degree of security relates to business outcomes and how they measure success.
Several interesting (and some obvious) insights came out of the research. For example, when it comes to fraud prevention, executives want to know the answer to three simple questions:
- What did it cost?
- How much did we lose?
- What was the impact on the customer?
This is not to say management doesn't care about security incidents, but success cannot be measured solely on the basis of vulnerabilities patched this month. Businesses should establish formal procedures for communicating any sudden major fraud or cybersecurity events. The severity or type of events the leadership team wants to be notified of should be discussed.
Another interesting insight was the growing recognition within many organizations about the importance of collaboration between information security and fraud teams and the need to work together in order to identify metrics that may be significant indicators of potential fraud risk.
The key to communicating with executives is not just reporting metrics, but also the right metrics as this is what will ultimately drive future investment. You can access the full report, "Business-Driven Fraud Management: Engaging with Leadership to Drive Investment" or join our live webcast on March 22 at 2:00 ET to learn more.
What metrics are important to your management? We would love to hear from you. Send your comments to us @RSAFraud on Twitter.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Business Driven Security, Cybercrime and Fraud, Fraud Management, Gap of Grief, Metrics