by Anastasios Arampatzis
Cybersecurity performance is the process of evaluating and overseeing the effectiveness of your security program. Managing the performance of your cybersecurity program can be challenging as the usual performance indicators don’t apply. An additional challenge that organizations face is that the business landscape changes; new technologies evolve, and threats are advancing quickly. In light of this ever-changing threat landscape, it may be hard to know how your cybersecurity program is performing. However, cybersecurity performance management is possible.
If you are going to manage the performance of your cybersecurity program, you have to be able to measure it. Security metrics improve decision making by helping risk management and security teams take a risk-based, outcome-driven approach to assessing and managing their organization’s cybersecurity posture. Despite the benefits, a surprisingly large number, 58%, of organizations aren’t adequately measuring the effectiveness of their cybersecurity programs against best practices.
What are the key performance indicators (KPIs)?
Good cybersecurity performance management tells you where your security program is succeeding, where your weak spots are, and helps your security team and leadership understand what steps you need to take to make your security program stronger.
This is done by measuring your security program against key performance indicators (KPIs), such as:
- The time to detect security-related incidents
- The time to respond to security incidents
- Number of reported incidents
- The number and frequency of unreported incidents discovered after the event
- Threat intelligence
- Level of preparedness
- Security training results
- The absence of unexpected security incidents
- Your organization’s external security rating
Why is cybersecurity performance management important?
Cybersecurity is not a fire-and-forget exercise. Cyber threats are constantly evolving, and the processes and technology needed to prevent them are constantly changing. You need to have measures in place to continuously assess the effectiveness of your cybersecurity controls you have invested in for safeguarding your organization. This is important for two reasons:
- Analysis of KPIs provides a snapshot of how your security team is functioning over time, improving decision-making about future projects.
- Metrics provide quantitative information that you can use to show business leadership that the protection and integrity of sensitive information is adequate and efficient.
Reporting and providing context on cybersecurity metrics has become an essential part of the CISOs’ job, driven by increasing interest in reporting at the board levels. With the average cost of a data breach rising from $3.86 million to $4.24 million during 2021 globally, you can understand see why cybersecurity has become so important.
Executives in sectors like financial services or healthcare, they have a fiduciary or regulatory duty to manage cybersecurity risk and protect personally identifiable information (PII). This has been driven by new regulations like GDPR, NIS, HIPAA, PCI DSS and others.
That is why choosing the correct KPIs is an important exercise. There is no standard rule for choosing cybersecurity KPIs. These metrics will depend on your industry, organization needs, regulations, guidelines, best practices and ultimately, your risk appetite.
When choosing your metrics, make sure they are clear to everyone, even non-technical stakeholders. If your non-technical stakeholders can’t understand them, you need to pick new metrics or do a better job of explaining them. Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.
Above all, one of the most important metrics is cost. The goal of presenting to the executive team and board is to make a succinct point about how cybersecurity is saving the organization money or generating additional revenue.
The challenges of cybersecurity performance management
Although metrics are key, they can also be a distraction. If you’re tracking too many metrics, or if your KPIs are subjective or irrelevant, the story you’re trying to tell about your cybersecurity program can get distorted.
McKinsey offers the example of reports sent by the security team to senior management that feature references to “the millions of attacks the organization faces per week or per day.” While “millions of attacks” sounds impressive, those incidents are likely not from skilled cybercriminals, and are probably pretty easy to mitigate.
Focusing on just the number of deflected incidents can provide management with a false sense of security. The executives have no clear sense of the overall magnitude of the risk from cyberattacks, malware, and data leaks. Neither do they know what is needed to improve protection of their key assets against the biggest threats. Executives might think they’ve got a robust cybersecurity program — after all, they’re catching and resolving millions of attacks a week — when in fact the real threats are flying under the radar.
Another pitfall in cybersecurity management is static reporting. Organizations may be relying on metrics that are only issued periodically, such as point-in-time assessments. Those reports are snapshots capturing just one moment. A vendor that’s in compliance when a questionnaire is filled out may be out of compliance the next day.
How ADACOM can help you build an effective cybersecurity program
Risks related to information protection are usually managed in an ad hoc manner, resulting in more risks. The convergence of cyber, virtual and physical worlds, the high adoption of IoT & smart technology, digitalization and the revolutionary transformation to Industry 4.0, provides the power to drive effectiveness and efficiency. At the same time, it increases the attack surface that may lead to comprise of intellectual property, loss of revenue and injuries.
This changing business landscape requires an approach towards information resilience and holistic security risk management, in order to enable an organization to maximize the trustworthiness of its information and the reliability of its automated processes.
ADACOM has established its own GRC & Assurance Services portfolio based on Information Resilience, which goes beyond the traditional Information & Digital Security models. Specifically, ADACOM offers Chief Information Security (CISO) Services, through which appropriate guidance and consultation is provided on the cybersecurity program which is fit for every organization depending on its context, regulatory environment and management risk appetite. Moreover, ADACOM offers a wide variety of Offensive Services for attack vectors and paths identification, as well as measuring of the overall technical risk in Organizational ecosystems.
Contact us to learn how we can help you.