In our previous post, we talked about the gap in cybersecurity achievement and performance. This post will talk about how using Key Performance Indicators (KPIs) or what we like to call, Cybersecurity Performance Indicators (CPIs) can help your team with gains in efficiency and seeing a more complex risk picture.
The Silicon Valley legend, former Chairman and CEO of Intel, Andy Grove, wrote in his book, “High Output Management”, about the power of KPIs. Nothing has changed, to drive efficiencies, quality and performance we need KPI, especially in this era of needing to do more with less, what a concept. Throughout the course of modern history, we’ve seen the concept of KPIs play out in several professional disciplines. Let’s explore some example scenarios. During a board meeting or shareholder meeting, would a CFO report on the state of the business as fine because they use SAP? No, EBIT is the near defacto standard. Much like a project manager in charge of a large infrastructure project wouldn’t say, “all good, we have a large team and we’re using some cutting-edge tools and techniques.” This is because they are expected to deliver firm, industry-accepted metrics such as Cost and Schedule Performance Index. And finally, would it be acceptable for your customer service organization to simply cite the use of Salesforce and the number of calls they handle as an indicator of performance? Of course not, metrics such as Net Promoter Score (NPS) are the standard.
In this context, it now seems less than ideal to cite any of our aforementioned metrics to the CEO or Board as a measure of performance or maturity.
It’s time to change our conversations around cybersecurity in order to effectively baseline and mature our programs while truly understanding the underlying risks to the business we support. Moving away from vanity metrics starts with the basics. As Robert Hannigan, the former UK Intel Chief noted, “Despite the threat posed by sophisticated state-backed cyber-attacks, there’s a simple way to avoid 80 to 90 percent of cyber-attacks – doing the basics right.” I’m sure Equifax would agree.
One presumes you’ve already conducted a proper risk assessment to determine what business-critical information needs to be protected as well as identifying the threats which pose the greatest risk. On second thought, double check to see when this was last done and if it is complete enough to truly inform where your cyber dollars should be spent. After that, look to the CIS Top 20 to help guide your security journey. Some of you are thinking, “We get all this, we know what the crown jewel assets are, and already manage our asset inventories, we just rolled out ServiceNow as our asset Configuration Management Database (CMDB), and we’ve been using Rapid7 for years to manage our vulnerabilities.” Great! Then you should be able to tell me (or at least report to leadership) right now how effective those two areas are. After all, security professionals know that inventory and vulnerability management are fundamental pillars of a sound cyber program.
- What percentage of your endpoints are actually scanned for vulnerabilities and how often?
- What percentage of your endpoints are tagged in accordance with company policy?
- What is the average age of critical vulnerabilities on your network? How many vulnerabilities exist that exceed your time to remediate policy?
- Which departments or teams are performing better than others, and by how much?
- How are all of the above progressing over time? What is your baseline and what are you improving?
Let’s make a distinction here. It’s not the policies that govern these areas or even the evil “C” word, Compliance– that’s easy. Anyone can write these policies, purchase the tools, and gain “compliance”. I’m talking about the effectiveness of your operationalized cybersecurity. This means taking a hard look at the people, processes, and tools in place to execute the policy. Specifically, key Cybersecurity Performance Indicators (CPIs) which:
- Effectively communicate cybersecurity posture across the organization and up to the CIO and Board.
- Eliminate the need for manual data sources and reliance on the individuals who maintain and distribute them.
- Take advantage of your existing security investments.
- Baseline your organization and monitor effectiveness over time.
- Quickly identify what is working or needs to be fixed to increase performance.
- Inform your strategy and roadmap as your program grows in maturity.
- Keep you informed of the most important cybersecurity metrics across distributed teams and geographies.
- Align the organization with policies and promote a culture of risk management with incentive-based team competition.
Cybersecurity must be managed no differently from any of the aforementioned professional domains across the business (think Corporate Finance, Project Management, Sales, etc.) Each of these long-established disciplines contains its own universal method for answering the question, “how well are we doing?” Whereas in cybersecurity, we find that exact same question extremely difficult to answer and often fall back on answering a less insightful question, “What are we doing?”
Security leaders agree and want change. Of security leaders we spoke to, 74% said they see “significant value” in establishing, tracking, and communicating CPIs within their organization to measure cybersecurity effectiveness of teams, tools, and processes. Of course, this is easier said than done, and most leaders struggle to put this into practice. When we asked them to name their top three challenges to implementing enterprise-wide CPIs they said:
- Lack of automation / capability to automate
- Lack of qualified / available staff, we have no one to take this on
- Lack of funding, we can’t afford it
These are problems that must be addressed if we want to meaningfully improve the performance of our cybersecurity programs and reduce risk to the business. Thankfully, these are the exact challenges we’ve been fortunate enough to be working on at TDI. Our solution, the CnSight platform is purpose-built for measuring cyber performance and maturity, transforming an organization’s tools, goals, and assets into attributable CPIs and data-informed actions to manage risk. This automation removes traditional barriers (lack of budget, qualified staff, and time constraints) that prevent organizations from adopting meaningful cybersecurity metrics that inform and rapidly drive towards increasing levels of cyber program maturity.
Only by effectively managing performance do you fully understand risk
Cybersecurity has become an integral aspect of the business, customer experience, and our lives in general. It’s no longer acceptable to merely self-report status or massaged “metrics” that highlight the heroic activity of the security team. We need to demand more from ourselves and our profession. Let’s add the needed rigor to baseline and mature cybersecurity within our organizations, starting with the fundamentals, leveraging advances in automation to measure and monitor CPIs. The time is now to move away from the dark arts of cybersecurity by changing the conversation from one of “activity” to “achievement.”