What gets measured, gets managed – and cybersecurity is no different. If you can’t measure your security efforts, you won’t know how you’re tracking.
Cybersecurity is not a one-time affair. Cyber threats are constantly evolving and the processes and technology needed to prevent them are constantly changing. You need to have measures in place to frequently assess the effectiveness of the safeguards you have invested in.
This is important for two reasons:
- Analysis of KPIs, key risk indicators (KRIs), and security postures provides a snapshot of how your security team is functioning over time. Helping you better understand what is working and what is worsening, improving decision-making about future projects.
- Metrics provide quantitative information that you can use to show management and board members you take the protection and integrity of sensitive information and information technology assets seriously.
Reporting and providing context on cybersecurity metrics is being an important part of the job for many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs), driven by increasing interest in reporting at the shareholder, regulatory, and board levels.
For many board members in sectors like financial services, they have a fiduciary or regulatory duty to manage cybersecurity risk and protect personally identifiable information (PII).
This has been driven by new regulations like the Gramm-Leach-Bliley Act, NYDFS Cybersecurity Regulation, PIPEDA, and CPS 234. Pair this with extraterritorial data protection laws like GDPR, CCPA, and LGPD and security management becomes a key focus for every organization.
14 Cybersecurity KPIs to Track
Below are examples of clear KPIs and metrics you can track and present to your stakeholders:
1. Level of Preparedness
How many devices on your corporate network are fully patched and up to date? Vulnerability scans and vulnerability management is one of the 20 CIS Controls that can reduce the risk of vulnerability exploits.
2. Unidentified Devices on Internal Networks
Employees can introduce malware and other cyber risks when they bring in their own devices, as can poorly configured Internet of Things (IoT) devices, which is why network intrusion detection systems are an important part of your organization’s security.
3. Intrusion Attempts
How many times have bad actors attempted to gain unauthorized access?
4. Security Incidents
How many times has an attacker breached your information assets or networks?
5. Mean Time to Detect (MTTD)
How long do security threats go unnoticed? MTTD measures how long it takes your team to become aware of indicators of compromise and other security threats.
6. Mean Time to Resolve (MTTR)
What is the mean response time for your team to respond to a cyber attack once they are aware of it? A great measure of the quality of your incident response plan implementation.
7. Mean Time to Contain (MTTC)
How long does it take to close identified attack vectors across all endpoints?
8. First Party Security Ratings
Security ratings are often the easiest way to communicate metrics to non-technical colleagues through an easy-to-understand score.
Goliath will assess your cybersecurity posture based on 50+ criteria in real-time including network security, phishing risk, DNSSEC, email spoofing, social engineering risk, DMARC, risk of man-in-the-middle attacks, data leaks, and vulnerabilities.
Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention.
9. Average Vendor Security Rating
The threat landscape for your organization extends beyond your borders and your security performance metrics must do the same.
This is why vendor risk management and a robust third-party risk management framework is an essential requirement for security operations. Traditional vendor management practices are limited to a snapshot of your vendor security ratings at a single point in time. By continuously monitoring vendor risks, you can greatly reduce your third-party and fourth-party risk.
10. Patching Cadence
How long does it take your team to implement application security patches or mitigate high-risk CVE-listed vulnerabilities?
Cybercriminals often use threat intelligence tools and exploit the lag between patch releases and implementation. A great example of this is the widespread success of WannaCry, a ransomware computer worm. While WannaCry exploited a zero-day vulnerability called EternalBlue, it was quickly patched but many organizations fell victim anyway due to poor patching cadence.
11. Access Management
How many users have administrative privileges? Access control and the principle of least privilege are simple, cost effective methods of reducing privilege escalation attacks.
12. Company vs Peer Performance
At the board level, how your organization’s cybersecurity performance compares to the peers in your industry. This information is easily digestible, visually appealing and highly compelling which makes it a top choice for board presentations.
13. Vendor Patching Cadence
This metric involves determining how many risks your third-party vendor has and how many critical vulnerabilities are yet to be remediated.
14. Mean Time For Vendors Incident Response
A security incident isn’t just a successful cyber attack, intrusion attempts to vendors can signify your organization as a potential target. The longer it takes vendors to respond to incidents, the higher the chance you will suffer from a third-party data breach. In fact, some of the biggest data breaches are result of poor vendor management.
How to Choose the Right Cybersecurity Metrics
There is no hard and fast rule for choosing cybersecurity KPIs and KRIs. These metrics will depend on your industry, organization’s needs, regulations, guidelines, best practices and ultimately, you and your customer’s appetite for risk.
That said, you will want to choose metrics that are clear to anyone, even non-technical stakeholders. A good rule of thumb is if your non-technical stakeholders can’t understand them, you need to pick new metrics or do a better job of explaining them.
Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.
And remember that one of the most important metrics is cost. Remember the goal of presenting to the executive team and board is to make a succinct point about how cybersecurity is saving the organization money or generating additional revenue.
This shouldn’t be too hard to justify, given that the average data breach could cost organizations millions.