One of the best ways to keep an organization on-track with its goals is to monitor important metrics. This action not only enables visibility into progress, allowing for early course correction, but also serves as an effective tool for longer term strategic decision making. A Key Performance Indicator (KPI) is a quantifiable measurement used in evaluating the success of an organization, team, or employee, and they can be critical in identifying areas in which an organization or team are over or underperforming. What specific KPIs to track will always vary depending from organization to organization, but the general principle remains the same; identify important metrics that are indicative of your teams’ performance against established goals, and use them to better understand where attention needs to be focused to promote success. For some organizations, these will be the standard performance measurements such as mean time to detect, whereas some organizations may also value metrics that document improvement in administrative and infrastructure rollouts like two-factor authentication compliance (percentage of administrative with 2FA enabled).
Here at TDI, we like to refer to the KPIs within the information security domain as CPIs, cybersecurity performance indicators, or in a broader context, cybersecurity performance improvement. Below we highlight some areas Chief Information Security Officers (CISOs) should care about beyond the standard detection, response, and remediation metrics. Regardless of the CPIs you select to automate, track, and report, they should…
› Effectively communicate across the organization and up to the CIO and Board
› Eliminate the need for manual data sources and reliance on the individuals who maintain them
› Take advantage of existing security investments
› Baseline the organization and monitor effectiveness over time
› Quickly identify what is working or needs to be fixed to increase performance
› Inform strategy and roadmap as the program grows in maturity
› Align the organization with policies and promote a culture of risk management with incentive-based team competition
Being able to see at a glance what teams are performing well is invaluable in learning what your organization’s strengths and weaknesses are. As the name indicates, the CPI Summary is a high-level measurement that illustrates your organization’s adherence with its established goals. Having these kinds of general compliance statistics at your fingertips is critical to understanding your organization’s overall performance improvement. For example, a good summary statistic might be the percentage of patched vulnerabilities in a given time frame. If you set a goal to have 80% of your documented vulnerabilities patched by the end of the month, you can measure your progress against this goal in an easily digestible package.
Understanding which team, area of security, or performance metric is a Performance Leader is imperative to maintaining a strong cybersecurity posture and ensuring that cybersecurity investments are having measurable improvements on your teams’ performance. Additionally, tracking these kinds of metrics can be very effective in facilitating internal communication between teams and individuals with varying levels of technical knowledge. Performance Leader metrics can be especially useful in demonstrating organizational success to leadership individuals and investors who have several layers of abstraction between them and the day-to-day cybersecurity operations.
Similarly, performance laggards are just as important as tracking performance leaders. Being able to tell which indicators are performing poorly gives an organization’s security team valuable information on their weakest points. With a curated lists of an organizations worst performing indicators, it becomes so much easier to perform a risk assessment on those CPIs to determine which are the most important to prioritize for the best marginal return on investment.
Another powerful indicator would be CPI recommendations. These recommendations show areas that teams can improve on with detailed summaries and steps to remedy issues to increase cybersecurity posture. These are a powerful tool in understanding what the next steps are in increasing your overall security performance, with a helping hand along the way.
Keeping track of CPI metrics and overall cybersecurity performance is an important step in ensuring the effectiveness of your existing cybersecurity infrastructure as well as its continual improvement across the enterprise. Security is never a finished game, as it requires constant improvement and adaptation as looming threats and available resources allow. Understanding where your security performance stands in the moment and where it needs to be in the future is critical for promoting organizational success by empowering decision-making individuals to ensure smart resource allocation for maximum benefit.