How to Measure Cybersecurity Success

Uploaded on 2018-06-28 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

When performance is measured, performance improves. When performance is measured and reported back, the rate of improvement accelerates.   By Gary Manley

Key Performance Indicators (KPIs) are fundamental to determining success in business. There are many industries and functions with long established KPIs such as inventory turnover or gross profit margin as a percentage of sales. 

Performance measures in the cyber-security field, being a newer discipline, does not have the same level of interest and KPIs in the way that other areas do. 

So how do you measure success in cyber-security? After all, if you can't measure it, you can't manage it. 
 

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we rarely talk about cyber-security successes. Perhaps it's because of the vast number of incidences reported in the news that we don't.  Or, perhaps it's because there are some who are only concerned about one success metric, whether a cyber-security incident has occurred or not. This is poor business practice since it does not provide a real-time snapshot of an organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor compliance to the organisation's security standard. 
The key to maintain a high level of performance in regards to implementation measurements is to establish a security baseline first, and continuously improve until you are constantly operating at or near 100%. 
Once you have a security baseline established, you should have a constant flow of information to respond to vulnerabilities as well as update your informational dashboard. 

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor how well an organisation prevents and responds to cyber incidences.  The key to maintain a high level of performance in regards to effectiveness/efficiency measurements is to have preplanned responses to a cybersecurity incident and to exercise their implementation. 

These response plans should be fed by the risk assessment conducted under the prior implementation measurements. Once completed, they should be exercised on the organisation's most valuable assets regularly and plans updated as appropriate. 
For instance, how long does it take an organisation to return a system to a secure state after a user clicks on a link in a phishing email or other attack. Can steps be taken to reduce the time it takes to make the system operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations resolved within an organisationally defined timeframe. 

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential impact of a cyber security breach and the damage conducted to organizational assets (both tangible and intangible assets). 

The key to maintain a high level of performance in regards to impact measurements is to manage the fallout from the breach effectively. It used to be that consumers would cast aside companies with a cyber-security breach. Today, it's a bit more complicated. 

An article by Doug Drinkwater in CSO magazine said that the stock price from many large corporations who suffered a cyber-security breach rose one year later. But, the damage to a brand's long-term reputation is real ranking right up there with poor customer service. 

By not managing the fallout from a cyber incident and obscuring the breach, the organisation is only exacerbating the damage to the brand and their reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information security professionals to develop their own metrics. Maybe for you and your organisation, it is better to measure success by compliance to a regulatory standard. However, many risk assessments are geared towards identifying, planning, detecting, and responding to cyber risks/vulnerabilities. The cyber resilience life cycle leaves little thought to measuring its effectiveness or relaying information to senior management. 

By developing KPIs, CISO's and information security professionals can measure success over time. These measurements can then be used to create their own dashboards to monitor performance and report it to other senior leaders. It's about time we start finding the successes to talk about rather than negative consequences.

Gary Manley

Gary Manley is Adjunct Professor Informations Systems at University of Maryland University College

You Might Also Read: 

Brand Reputation Includes Cyber Safety:
 

 

« 13 Ways Cyber Criminals Spread Malware
IBM’s AI Can Argue With Humans »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

Code42

Code42

Code42 CrashPlan, is an enterprise SaaS solution that backs up all distributed end-user data on a single, secure platform.

Maverick Technologies

Maverick Technologies

Maverick is an industrial automation, enterprise integration and operational consulting company. Services include industrial cyber security.

Cyanre

Cyanre

Cyanre delivers state of the art cyber forensic services through software technologies and procedures that exceed conformities of major law enforcement agencies across the globe.

SailPoint

SailPoint

SailPoint provides identity governance solutions with on-premises and cloud-based identity management software for the most complex challenges.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Coalition

Coalition

Coalition combines comprehensive insurance and proprietary security tools to help businesses manage and mitigate cyber risk.

Defendify

Defendify

We built Defendify to help small businesses navigate the cybersecurity landscape with cybersecurity that is dead simple, affordable, and works around the clock.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

Voodoo Security

Voodoo Security

Voodoo Security is a specialized information security consulting firm focused on security assessments, risk and compliance analysis, and cloud security.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Motorola Solutions

Motorola Solutions

Motorola Solutions build mission-critical services, software, video and analytics, backed by secure, resilient land mobile radio communications.

Nonprofit Cyber

Nonprofit Cyber

Nonprofit Cyber is a first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity.

Solvo

Solvo

Solvo enables security teams and other stakeholders to automatically uncover, prioritize, mitigate and remediate cloud infrastructure access risks.

Nexer

Nexer

Nexer is a modern tech company with expertise in strategy, technology and communication with a strong vision.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.