Cybersecurity Has A Metrics Problem

Uploaded on 2017-05-12 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. How are you doing at measuring risk in your organisation? 

Almost 4.2 billion records were exposed in 4,149 data breaches in 2016, according to a recent report from Risk Based Security. 

The worst-hit sectors were businesses at 51 percent of reported breaches, surpassing unknown (23.4 percent), government (11.7 percent), medical (9.2 percent) and education (4.7 percent) industries. While the number of data breaches remained about the same in 2015 and 2016, the number of records compromised skyrocketed last year. 

But wait, the Identity Theft Resource Center said there were 1,093 reported data breaches in 2016, 40 percent more than the 780 breaches in 2015. Confusing things further, the Privacy Rights Clearing House counted 538 breaches occurring in 2016 with just over 11 million records lost. 

To be sure, there are plenty of explanations, different definitions, regional exceptions and so on to account for the conflicting numbers. If you add in disparate definitions of “security incidents,” numbers of “vulnerabilities,” “threats” or even what’s included under “cybersecurity,” you will see that different organisations use different terms, accounting and approaches, making apples-to-apples comparisons very hard.

But enough about tabulating industrywide security metrics. How are you doing at measuring risk in your organisation? 

Sadly the gap between management expectations and reality usually gets worse when serious academic rigor is applied to measuring local cybersecurity programs. Many governments are just happy to have any security metrics at all. Often, easy-to-find items like “spam emails blocked” or “viruses detected and eliminated” are the only things counted, since network and security tools easily capture these cyber-alerts. 

Digging deeper, is your security health report truly measuring risk and evaluating future investments in people, process and technology? No doubt, reporting big numbers to managers (often measured in the millions of hostile data elements removed) looks impressive on management reports, but has anyone asked tough questions about these reports lately? 

Have you ever matched the metrics you’re collecting to management decision-making? Are the relevant definitions clear and consistent?

  • Is the threat intelligence data reliable? What is the process for creating security action items and priority levels? Who is (truly) looking at the captured data in a timely manner?
  • Where can leadership turn for answers during an incident?
  • What can be done?

Here are three steps you can take to strengthen cybersecurity metrics, communicate risk levels, and recommended actions to the right people up and down the management chain.

Know your enterprise security data, collection capabilities, policies and current reports. Who is doing what regarding your organization’s metrics collection processes now? Review risk assessments and security operation capabilities that are already in place from an end-to-end perspective. Ask what reports are really being read and used, and by whom. 

Talk to top executives, financial staff, external partners and your internal team about “must have,” “nice to have” and “wasteful” metrics. What compliance reports are required by auditors? How can internal and external partners help? What risk-measuring results are expected? Consider if cyber-insurance checklists and processes can help document risk-reducing steps that lower premium costs. 

Build (and use) a meaningful security dashboard for executives. Make sure the detail behind the metrics are real. As you build your future metrics model, examine best practices and talk with industry peers to understand what is working in your business sector. A few years back, the National Governors Association’s Resource Center for State Cybersecurity helped to build a template that can be used for government security dashboards. These templates are a helpful start. The Center for Internet Security consensus metrics are also valuable. 

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. Seek to constantly improve and refine cybersecurity metrics, while maintaining your data. 

GovTech:

You Might Also Read:

Time To Speak The Language Of Risk:

Cultural Strategies For Data Security (£):

Cyber Security is Now Business Critical (£):

Make The Most Of Data Analytics:


 

« Hackers Stole A £60,000 BMW
Macron Hackers Linked To Russian Intelligence »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

iboss Network Security

iboss Network Security

The iboss cloud is designed to deliver Network Security as a Service, in the cloud, using the best malware engines, threat feeds and log analytics engines.

Dataguise

Dataguise

Dataguise provides a data-centric security solution to detect, protect, and monitor sensitive data in real time across all data repositories, both on premises and in the cloud.

BaseN

BaseN

BaseN is a full stack IoT Operator. We control the full value chain in order to provide ultimate scalability, fault tolerance and security to our customers.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

swIDCH

swIDCH

swIDch is a technology company that aims to eliminate CNP (card not present) Fraud.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

Glocomp Systems

Glocomp Systems

Glocomp Systems is one of Malaysia’s premier ICT infrastructure distributor offering a comprehensive portfolio of solutions including cybersecurity and privacy.

Start Left® Security

Start Left® Security

Great security culture doesn't just happen; you ENGINEER it.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

Nomios

Nomios

Nomios develops innovative solutions for your security and network challenges. We design, secure and manage your digital infrastructure.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Systal Technology Solutions

Systal Technology Solutions

Systal is a global managed network and security service and transformation specialist. We help enterprise-level businesses maximise the security and business value of their complex IT infrastructure.

Millennium Corporation

Millennium Corporation

For nearly two decades, Millennium Corporation has been operating on the leading edge of cybersecurity.

BuddoBot

BuddoBot

BuddoBot has been a pioneering force in cybersecurity and information technology since 2008.