To our regular readers, welcome back and thank you! To those new readers, in celebration of Cyber Awareness Month, we’re releasing a series of posts outlining ways Cybersecurity Performance Management (CPM)TM can help you improve your cyber performance, reduce risk, and increase cyber ROI—all through the lens of the NIST Cybersecurity Framework (CSF). Last week, we talked about the “Identify” Security Function, which you can find here.
We’ll take you from the basics of CPM through to advanced practices with a weekly series of blogs posts that chronical how CPM helps your organization align itself with each of the CSF’s Security Functions to help you take actionable steps toward securing your digital future. We’ll be posting throughout the month, so make sure you’re following on LinkedIn and X to get the latest.
Cybersecurity Performance Management (CPM)
If you are new to CPM, we encourage you to check out a more in-depth blog here, where we break down what CPM is and how it fits into your organization.
For the CliffsNotes version, CPM is the framework for effective cybersecurity and resiliency tied to your organization’s strategic cyber objectives; measuring meaningful performance metrics (defined as Cybersecurity Performance Indicators (CPIs)) – over time.
As it relates to the Framework as a whole, think of CPM as a way to supercharge how your organization aligns and benefits from implementing CSF. CPM works across functions to facilitate the visibility needed for governance and risk management. By integrating CPM practices, organizations can enhance their cybersecurity posture, align security goals with the needs of the business, and proactively protect their systems, data, and assets.
NIST CSF “Detect” Function
The third security function and the focus of today’s post, “Detect”, is about ensuring organizational capability to detect cybersecurity events as they happen. While it’s important for businesses to be proactive in mitigating cyber risk, they also need to make sure they’re able to react when the situation calls for it. Detecting and identifying cybersecurity incidents can be the difference between a minor security incident and a multi-million dollar data breach if you give the bad guys time to snoop around your network. There’s a lot that falls into this category beyond the obvious incident response implications, such as testing and continuously updating detection processes, maintaining and monitoring logs, monitoring physical access, and mapping data flows to understand how you expect data to flow across your ecosystem.
How CPM Enhances Cybersecurity Controls in the “Detect” Function
Cybersecurity Performance Management is a vital component in addressing cybersecurity controls within the Detect Security Function of the NIST CSF. CPM establishes clear performance metrics and cybersecurity performance indicators (CPIs) to measure the effectiveness of cybersecurity controls, which in this case helps support current and future organizational cybersecurity policy, processes, and increased visibility into business risk. These metrics provide organizations with insights into their security posture and help identify areas that require improvement. Example CPIs your organization may consider are:
- Mean time to detect (MTTD) to understand how well your team are detecting potential security incidents,
- Days since last physical security review to better identify the effectiveness of your physical security controls,
- False-positive detection rate to understand how well your detection process falsely identifies potential breaches, and
- Dwell time to figure out how long attackers had to do reconnaissance undetected on your network after the initial compromise.
We have a ton of key metrics in our CPM automation platform CnSight. We have found that it can be difficult, ineffective, and costly for organizations to manage cyber metrics in spreadsheets or manual workflows, so we created CnSight to help organizations get started on their CPM journey. We want to make sure that CPM is an approachable avenue to a new way of approaching and understanding cybersecurity risk, and that is a much more manageable task when you utilize automation to simplify the process.
In closing–CPM is the first big step in supercharging your NIST CSF compliance. For more reading on CPM, and to learn about how CPM intertwines with the principles of Zero Trust Architecture (ZTA), check out our recent nSight Report: Are We There Yet? From Zero, to Zero Trust. In the report, we discuss in more detail how CPM and zero trust work together to effectively implement zero trust principles in a way that doesn’t leave either the business or security teams wanting.