Posted by: Mark Wolff, CTO, CANARIE
In almost any context, it is important to choose your words carefully to ensure you and your audience understand your message in the same way. In a complex environment like cybersecurity, it’s even more important that we share an understanding of the meaning of some key terms, particularly as they relate to measuring cybersecurity capabilities and understanding how these change over time. This common understanding is essential for decision-makers to evaluate effectiveness, progress, and priorities.
At CANARIE, I’ve worked with the Measurement and Metrics Working Group, a group providing guidance and advice to the Cybersecurity Advisory Committee, to align on the definitions of three key terms:
Assessment = the evaluation or estimation of the nature, quality, or ability of someone or something
This is analysis of an organization’s cybersecurity controls and the ability of the controls to remediate vulnerabilities. It is performed against a framework; a cybersecurity standard checklist.
Measurement = numerical attributes of an object or event, used to compare
This is individual cybersecurity metrics for items such as efficacy and performance.
Benchmarking = to evaluate or check by comparison to a standard
The process of comparison to a standard set by peers in the research and education sector, is linked to both measurement and assessment, and to comparisons over time.
As we work with the community to determine the impact of funded initiatives on the overall cybersecurity capacity of Canada’s research and education sector, it’s important that we have a common understanding of these terms. When we share a common understanding of the need for assessment, measurement, and benchmarking, we are able to work cooperatively on where we are, where we must improve, and whether our initiatives are effective. This is the foundation from which together, we can strengthen the cybersecurity capability of the whole sector.