The environment itself is evolving in several key ways:

• Growing network, infrastructure and architectural complexity create a greater number and variety of connections that can be targets of cyberattacks.
• Increasing sophistication of threats and poor threat sensing make it hard to keep track of the growing number of information security controls, requirements and threats.
• Third-party vulnerabilities will persist as organizations continue to struggle to establish minimum but robust controls for third parties — especially as most vendors, in particular cloud vendors, are themselves relying on third parties (which become your fourth parties and so on).
• Cybersecurity debt has grown to unprecedented levels as new digital initiatives, frequently based in the public cloud, are deployed before the security issues are addressed.
• Cyber-physical systems are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). Connecting the digital and physical worlds (as in smart buildings) presents a unique and growing area of vulnerability.

Most cybersecurity metrics used today are trailing indicators of factors the organization does not control (e.g., “How many times were we attacked last week?”). Instead, focus on metrics related to specific outcomes that prove your cybersecurity program is credible and defensible.

Gartner expects that by 2024, 80% of the magnitude of fines regulators impose after a cybersecurity breach will result from failures to prove the duty of due care was met, as opposed to the impact of the breach.

Gartner advocates the “CARE” model of outcome-driven metrics (ODMs):