Introduction
Organizations often struggle with effective cybersecurity performance management due to the lack of standardized metrics, siloed security practices, and difficulty quantifying cybersecurity initiatives' value. Many businesses fail to tie cybersecurity performance directly to organizational goals, leading to gaps in resource allocation, risk mitigation, and strategic planning. This results in poor visibility into the effectiveness of cybersecurity measures and an inability to adapt quickly to emerging threats. Pironti stated, “Information security is an ever-changing and evolving activity. To have accurate visibility to these changes, an organisation must establish, maintain, monitor, interpret and report effective metrics and measures. With this, Pironti emphasises the need for clear metrics that boards of directors can understand and monitor at all time[1] and improve their Cybersecurity resilience.
[1] J. Pironti, "Developing Metrics for Effective Information Security Governance," ISACA, US, 2007