Since 2017, TDI has long championed the process of Cybersecurity Performance Management (CPM). We see it as transformative in the evolution of cybersecurity teams, as organizations look to track, measure, and optimize their investments in cybersecurity performance. At present, businesses are dumping endless amounts of resources into the latest tools and software suites without considering the realistic return on their investment. If you could take a specific security initiative, a CSF Function, or even an overall cyber program and know exactly how strong your cybersecurity performance is, it completely changes everything. This new visibility into continuous performance against goals along with measures of consistency and coverage creates tremendous new understanding around risk, providing for data driven decision making that can truly improve security and curb excess spend. This kind of insight that CPM provides will revolutionize the way organizations manage cybersecurity in support of the business.
It has been gaining traction in other circles, too. CPM has been identified by Gartner as an emerging product category in their Hype Cycle for Cyber and IT Risk Management in both their 2021 and 2022 publications. Gartner’s Hype Cycle publications are a way to bring the spotlight to under-represented and emerging sectors of the industry, a way to get more eyes on new areas of innovation. In this publication, their aim was to, “demonstrate the need for organizations to renew their attention on the fundamentals of risk management,” and “provide the risk insights that are required to create strategies to build successful digital business processes.”
Gartner has picked up on something that we have long valued here at TDI; the value of targeted optimization efforts brought about by greater visibility into the day-to-day performance of cybersecurity teams. For years, businesses have been throwing millions of dollars at the issue of cybersecurity. Endlessly inflating tool stacks of the latest fad product. What has been lost in this scramble is the pursuit of operational performance and capital efficiency. At the end of the day, it doesn’t matter if you have a sophisticated product stack if an engineer misconfigures an S3 bucket, leaving its contents publicly accessible. Cybersecurity performance management helps address the questions that must be at the heart of every board discussion:
- How well are we doing?
- What is our risk?
- Are we consistent and continuously improving?
- Are we compliant?
- What is our Business Value, Our ROI?
To address these questions, we need to first understand how we can improve cybersecurity outcomes in a targeted and meaningful way. This requires visibility and performance tracking, a core part of performance management in general. Understanding where your team’s current performance lies is critical in tracking the movement from “where we are” to the “where we need to be.” This can be done with automation by aggregating data that is already being collected by your existing tools, such as vulnerability data from vulnerability scanners, identity management metrics from Active Directory, your endpoint metrics from Microsoft Intune, and anything else that might be relevant to tracking cybersecurity outcomes. With all this data aggregated, you can begin to combine the puzzle pieces from the different tools that results in meaningful and robust a picture of your overall security posture.
Cybersecurity performance management relies on leveraging this data to create a continuous view of the operational cybersecurity performance of your security team. This allows you to identify strengths and weaknesses in your program, gaps that need to be filled to strengthen baseline cybersecurity performance. This is especially relevant in today’s environment, as boards around the world are looking to increase oversight of cybersecurity operations on account of increased pressure by regulators. Gartner recognizes in the publication that,
“Security and risk management (SRM) leaders are under pressure to both reduce risk and also demonstrate and communicate the value, efficiency, and maturity of their security program to a broad range of stakeholders with differing and evolving expectations. After years of quarterly reporting on cybersecurity boards, boards are asking for improved reporting on the value of the program and an understanding of what the security program has achieved after years of significant investment.”
Additionally, Gartner recommends 6 steps for leaders looking to integrate a cybersecurity performance management approach to their security program:
- Establish an achievable and realistic vision for the security program
- Utilize a combination of assessment approaches to assess the security program
- Determine priorities and investments through informed conversations with executives by integrating risk, value, and cost optimization into business processes.
- Develop clear links among objectives, gaps, specific projects, and the vision statement to track and measure progress.
- Track outcomes through outcome-driven metrics.
- Evaluate both stand-alone supporting tools and capabilities based on their ability to enable a performance management approach.
At the end of the day, cybersecurity performance management is the key in truly advancing cybersecurity. As with many other business functions, executives and board members will look to measure the return on their investment. The key is to automate continuous monitoring and metrics collection in a way that drives costs down and improves situational awareness of your actual risk. Understanding your security performance baseline is the only way to drive performance and maturity across your program into the future.