Efficiency is one of the most highly sought-after qualities when analyzing an organization’s performance. This is true in just about any area, whether it be an efficient use of budget, labor hours, sales, and especially cybersecurity performance. In an industry where most organizations benchmark their cybersecurity performance based on fuzzy metrics such as team size, overall security spend, and use of any number of the cybersecurity frameworks, it’s critical to take a step back and evaluate how well your organization is actually performing on the basics. These metrics tell you nothing about what your organizations’ true performance is, because it doesn’t give you any insight into how well your security team is handling the day-to-day operations of patching, scanning, vulnerability management, and proper network security.
With the ever-evolving threat landscape, organizations must always be proactive in how they are increasing their cybersecurity capabilities as well as ensuring that they are doing the basics correctly. At the end of the day it doesn’t matter what expensive tools you deploy, how large your security team is, or which cybersecurity framework your organization uses, if a sensitive server is misconfigured or systems aren’t being adequately patched. Identifying weak points in a cybersecurity program is critical to establishing a culture of continuously improving your organizations’ cybersecurity performance, and doing it right requires insight into key performance metrics. Part of this is maintaining continuous visibility over assets and processes, but you also need to be able to track organizational progress towards meeting the security goals set by your organization. For example, if your goal is to ensure that all business-critical systems remediate all “high” or “critical” vulnerabilities within seven days of detection and your metrics say that several systems are not making the seven day deadline, then you have an actionable deficiency to address.
Key Cyber Metrics
What your organization tracks will depend greatly on a number of environmental variables such as the size of the organization or sophistication of the security team, but there are three broad categories that should be kept in mind: performance leaders, performance laggards, and summary metrics. Performance leader metrics as you might imagine are metrics that highlight strong metrics that closely align with your organizations’ goals, and they can be strong indicators of how well your team is performing in a specific area. Use these to highlight success and promulgate best practices across the organization. Performance laggards are perhaps even more important because it highlights the opposite; what areas of performance are your organizations’ weakest. These metrics give you the clearest idea of what needs to be done, allowing for more effective targeted improvements to baseline cybersecurity performance. Finally, summary metrics target areas that you as an organization should care about in general. Think of these metrics as not team based, but summary- level performance across a particular dimension. For example, “Percentage of web-facing assets scanned for vulnerabilities every 7 days”.
How tracking streamlines productivity
As we have established, keeping track of cybersecurity performance indicators (CPI) metrics and overall cybersecurity performance is an important step in ensuring the effectiveness of your existing cybersecurity infrastructure as well as its continual improvement. Security is never a finished game, as it requires constant improvement and adaptation as available resources allow. Understanding where your security performance stands in the moment and where it needs to be in the future is critical for promoting organizational success by empowering decision-making individuals to ensure smart resource allocation for maximum benefit. Tracking key performance metrics will allow for precise targeted prioritization of organizational goals, streamlining productivity and ensuring that your organization has a strong baseline of security practices.
More tools, more complexity
Another frequently misunderstood concept in the world of cybersecurity is the tendency to stack tools on top of tools, with the idea that each additional tool makes you more secure; but each additional tool has a reduced marginal benefit over the previous one, in addition to increasing the complexity of implementation and maintenance. Maintaining a simple but effective tool stack is the name of the game, because increasing complexity often results in inconsistent implementation and a loss of insight into the performance of basic cybersecurity standards. As a prime example of this phenomenon, look no farther than the infamous Equifax breach. Even though Equifax touted an $85M security budget, a large security team, and a significant vulnerability management operation; it took 76 days to identify the breach, 145 days to patch, and over two weeks to notify their CEO of the breach. Equifax was hitting all the right traditional benchmarks of excessive cybersecurity spending, tools tack, and team size; but without a way of measuring their cybersecurity performance effectiveness, they allowed their basic cybersecurity standards to slip.
Monitoring CPIs & Cyber Performance
Keeping track of CPIs and overall cybersecurity performance is an important step in ensuring the effectiveness of your existing cybersecurity infrastructure as well as its continual improvement. Look to automate continuous monitoring and metrics collection in a way that drives costs down and improves situational awareness of your actual risk. Understanding where your security performance baseline is the only way to drive performance and maturity across your program into the future. Empower yourself with the data-driven decision-making to build a culture of accountability and effectiveness to be able to do more with less.