Cybersecurity Has A Metrics Problem

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. How are you doing at measuring risk in your organisation? 

Almost 4.2 billion records were exposed in 4,149 data breaches in 2016, according to a recent report from Risk Based Security. 

The worst-hit sectors were businesses at 51 percent of reported breaches, surpassing unknown (23.4 percent), government (11.7 percent), medical (9.2 percent) and education (4.7 percent) industries. While the number of data breaches remained about the same in 2015 and 2016, the number of records compromised skyrocketed last year. 

But wait, the Identity Theft Resource Center said there were 1,093 reported data breaches in 2016, 40 percent more than the 780 breaches in 2015. Confusing things further, the Privacy Rights Clearing House counted 538 breaches occurring in 2016 with just over 11 million records lost. 

To be sure, there are plenty of explanations, different definitions, regional exceptions and so on to account for the conflicting numbers. If you add in disparate definitions of “security incidents,” numbers of “vulnerabilities,” “threats” or even what’s included under “cybersecurity,” you will see that different organisations use different terms, accounting and approaches, making apples-to-apples comparisons very hard.

But enough about tabulating industrywide security metrics. How are you doing at measuring risk in your organisation? 

Sadly the gap between management expectations and reality usually gets worse when serious academic rigor is applied to measuring local cybersecurity programs. Many governments are just happy to have any security metrics at all. Often, easy-to-find items like “spam emails blocked” or “viruses detected and eliminated” are the only things counted, since network and security tools easily capture these cyber-alerts. 

Digging deeper, is your security health report truly measuring risk and evaluating future investments in people, process and technology? No doubt, reporting big numbers to managers (often measured in the millions of hostile data elements removed) looks impressive on management reports, but has anyone asked tough questions about these reports lately? 

Have you ever matched the metrics you’re collecting to management decision-making? Are the relevant definitions clear and consistent?

  • Is the threat intelligence data reliable? What is the process for creating security action items and priority levels? Who is (truly) looking at the captured data in a timely manner?
  • Where can leadership turn for answers during an incident?
  • What can be done?

Here are three steps you can take to strengthen cybersecurity metrics, communicate risk levels, and recommended actions to the right people up and down the management chain.

Know your enterprise security data, collection capabilities, policies and current reports. Who is doing what regarding your organization’s metrics collection processes now? Review risk assessments and security operation capabilities that are already in place from an end-to-end perspective. Ask what reports are really being read and used, and by whom. 

Talk to top executives, financial staff, external partners and your internal team about “must have,” “nice to have” and “wasteful” metrics. What compliance reports are required by auditors? How can internal and external partners help? What risk-measuring results are expected? Consider if cyber-insurance checklists and processes can help document risk-reducing steps that lower premium costs. 

Build (and use) a meaningful security dashboard for executives. Make sure the detail behind the metrics are real. As you build your future metrics model, examine best practices and talk with industry peers to understand what is working in your business sector. A few years back, the National Governors Association’s Resource Center for State Cybersecurity helped to build a template that can be used for government security dashboards. These templates are a helpful start. The Center for Internet Security consensus metrics are also valuable. 

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. Seek to constantly improve and refine cybersecurity metrics, while maintaining your data. 

GovTech:

You Might Also Read:

Time To Speak The Language Of Risk:

Cultural Strategies For Data Security (£):

Cyber Security is Now Business Critical (£):

Make The Most Of Data Analytics:


 

« Hackers Stole A £60,000 BMW
Macron Hackers Linked To Russian Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Illumio

Illumio

Illumio delivers adaptive security for every computing environment, protecting the 80% of data center and cloud traffic missed by the perimeter.

IDnext

IDnext

IDnext is the open and independent platform to support innovative approaches in the world of the Digital identity.

Pole SCS (Secure Communicating Solutions)

Pole SCS (Secure Communicating Solutions)

SCS is a world-class competitiveness cluster dedicated to digital technologies in the fields of Microelectronics, Internet Of Things, Digital Security, Artificial Intelligence And Big Data.

Guy Carpenter

Guy Carpenter

Guy Carpenter delivers a powerful combination of broking expertise, strategic advisory services, and industry-leading analytics.

Torsion Information Security

Torsion Information Security

Torsion is an innovative information security and compliance engine, which runs either in the cloud or your data centre.

Sandia National Laboratories

Sandia National Laboratories

Sandia National Laboratories is a premier science and engineering lab for national security and technology innovation. Activity areas include Cyber and Infrastructure Security.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

Octane OC

Octane OC

OCTANe is building the SoCal of tomorrow. We drive innovation and growth by connecting people, resources and capital. Our Incubator focus is FinTech, Data Analytics and Cybersecurity.

Vigilant Technology Solutions

Vigilant Technology Solutions

Vigilant is a global cyber security technology company offering solutions to manage entire IT & cyber security lifecycles.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Nardello & Co

Nardello & Co

Nardello & Co. is a global investigations firm with experienced professionals handling a broad range of issues including Digital Investigations & Cybersecurity.

Dhound

Dhound

Dhound is a cybersecurity company providing web application penetration testing.

3B Data Security

3B Data Security

3B Data Security offer a range of Penetration Testing, Digital Forensics, Incident Response and Data Breach Management Services.

Dataships

Dataships

We help companies automate their privacy compliance while building healthy, transparent data relationships with their customers.

Advantex Network Solutions

Advantex Network Solutions

Advantex Network Solutions are a leading provider in Mitel, IT Solutions, Networking, and iP surveillance.

Quatrro Business Support Services (QBSS)

Quatrro Business Support Services (QBSS)

QBSS is a tech-enabled outsourcing firm that’s changing the way companies think about finance, accounting, human resources and technology services.