This week on our blog, we have a guest post from Ben Chant who is on our market insights team at NTT Security.

A key challenge for information security professionals is justifying the need for investment in security programs and resources, and this is largely due to organisations struggling to understand how to measure the return on investment. This often results in employing point technologies without considering the complexity of integrating into existing systems or relying on traditional security controls that are out of date and processes that have not adapted to the changing threat landscape.

Security teams often find it easier to measure risk by following a compliance and audit checklist. However, this misconception fails to not only consider the constant nuances of regulations and their requirements of businesses but the advancements of cyber threats. More quantitative measurements such as Time to Respond (measuring the speed to responding) and False Positive Reporting Rate (validating that threats they are detecting are real threats) can be seen as logical methods, albeit rather technical, which is often difficult for executive management to comprehend and can end up being undersold on the real value of these controls.

Accurately measuring the effectiveness of security initiatives requires security experts to extensively assess the risk profile of their organisation’s entire IT infrastructure. This means identifying the key risks and their impact to key business operations, implementing the relevant controls and processes to remediate these risks and ensuring their security operations are reducing these risks to an acceptable level.

In order for the whole business to be completely aligned with how effective security programs are, the communications of metrics need to be tailored to different audiences and stakeholders within the organisation. This includes practitioners, IT managers, business managers and senior leaders, providing related but different views.

To learn more about how NTT Security enables businesses to stay resilient in the digital economy, please visit or contact us.