To celebrate Cyber Awareness Month, we’re releasing a series of posts outlining ways Cybersecurity Performance Management (CPM)TM can help you improve your cyber performance, reduce risk, and increase cyber ROI—all through the lens of the NIST Cybersecurity Framework (CSF).
We’ll take you from the basics of CPM through to advanced practices with a weekly series of blogs posts that chronical how CPM helps your organization align itself with each of the CSF’s Security Functions to help you take actionable steps toward securing your digital future. We’ll be posting throughout the month, so make sure you’re following on LinkedIn and X to get the latest.
Cybersecurity Performance Management (CPM)
If you are new to CPM, we encourage you to check out a more in-depth blog here, where we break down what CPM is and how it fits into your organization.
But if you’re in a rush, no problem. What you need to know is that CPM is the framework for effective cybersecurity and resiliency tied to your organization’s strategic cyber objectives; measuring meaningful performance metrics (defined as Cybersecurity Performance Indicators (CPIs)) – over time.
As it relates to the Framework as a whole, think of CPM as a way to supercharge how your organization aligns and benefits from implementing CSF. CPM works across functions to facilitate the visibility needed for governance and risk management. By integrating CPM practices, organizations can enhance their cybersecurity posture, align security goals with the needs of the business, and proactively protect their systems, data, and assets.
NIST CSF “Protect” Function
The first security function and the focus of today’s post, “Protect”, is designed to ensure organizations can develop and implement effective safeguards to protect their systems, data, and assets. It emphasizes the need for proactive measures to defend against potential threats and vulnerabilities. This function includes various categories and subcategories, such as access control, data protection, and training and awareness, which form the basis of cybersecurity controls.
How CPM Enhances Cybersecurity Controls in the Protect Function
Cybersecurity Performance Management is a vital component in addressing cybersecurity controls within the Protect Security Function of the NIST CSF. CPM establishes clear performance metrics and cybersecurity performance indicators (CPIs) to measure the effectiveness of cybersecurity controls within the Protect function. These metrics provide organizations with insights into their security posture and help identify areas that require improvement. Example CPIs your organization may consider are:
- Percentage of users protected by Multifactor Authentication to help identify gaps in access control schemes,
- Percentage of users not clicking on phishing email links to understand how well you are training your users,
- Average Age of the oldest Critical vulnerability on your systems to evaluate how well your team is quickly identifying and remediating critical vulnerabilities,
- Percentage of scanned hosts in inventory to better understand the delta between your organizational IT asset inventory and what devices are actually being scanned for vulnerabilities up on your networks, and
- Percentage of hosts fully encrypted to get insight into how much of your end user devices are adequately protected with endpoint management software.
We have all of these key metrics and dozens more in our CPM automation platform CnSight. We have found that it can be difficult, ineffective, and costly for organizations to manage cyber metrics in spreadsheets or manual workflows, so we created CnSight to help organizations get started on their CPM journey. We want to make sure that CPM is an approachable avenue to a new way of approaching and understanding cybersecurity risk, and that is a much more manageable task when you utilize automation to simplify the process.
In closing–CPM is the first big step in supercharging your NIST CSF compliance. For more reading on CPM, and to learn about how CPM intertwines with the principles of Zero Trust Architecture (ZTA), check out our recent nSight Report: Are We There Yet? From Zero, to Zero Trust. In the report, we discuss in more detail how CPM and zero trust work together to effectively implement zero trust principles in a way that doesn’t leave either the business or security teams wanting.