Measuring Zero Trust Success

Security leaders rely on metrics both for internal management of the security function and for effective communication with business executives. Effective CISOs use meaningful metrics to build support for ZT across the organization and to avoid the trap of “precision without accuracy.”

Our research identified three stages for the effective use of metrics to assess and communicate security status and success:

1.Establish context.

Ensure that the organization is ready to use metrics effectively and frame the metrics in ways that resonate with their target audiences. The security team needs to have reached a reasonable level of achievement before metrics can help drive attention rather than concern. Target audiences need to understand what the metrics represent before they can absorb and discuss their implications. Additionally, the metrics themselves must speak to objectives or concerns held by each target audience. Colleagues will tune out metrics that they view as too abstract, “in the weeds,” or esoteric.

2. Identify a cohesive set of metrics that fill three key functions:

Strategic metrics supporting communications with stakeholders (board of directors, senior business executives) who have responsibility for cyber risk management and for the budgets used to achieve both agility and compliance.
Operational metrics that help IT and security management identify cross-organizational security requirements and readiness.
Tactical metrics that are used to direct and assess security activities within the six ZT pillars (identity, devices, network, infrastructure, applications, and data).

These metrics should relate to the top-level objectives (strategic, operational, tactical) and be quantitative and fact-based, measured in ways that are transparent and sound, and detailed/granular enough to make period-over-period comparison meaningful. Experience shows that the overall measurement framework will expand over time, so CISOs should not be too concerned with deploying a comprehensive set of metrics out of the gate. It’s best to start with a limited set that directly tracks key priorities.

3. Implement processes for tracking progress against target objectives and over time.

CISOs can use metrics effectively by aligning them to targeted, high-value business objectives, identifying the technologies or practices that are intended to result in improved business or security outcomes, and then assessing the effectiveness of technology or process changes through the metrics. Tracking the degree of change over time will help the CISO communicate consistently and effectively with the board of directors and business executives, work with IT and security management colleagues to identify and address holistic issues requiring attention, and guide and track progress within each of the six ZT pillars.

Click here to access the Stratascale Executive Guide to Zero Trust report, “Zero Trust Metrics”