How to Measure Cybersecurity Success

Uploaded on 2018-06-28 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

When performance is measured, performance improves. When performance is measured and reported back, the rate of improvement accelerates.   By Gary Manley

Key Performance Indicators (KPIs) are fundamental to determining success in business. There are many industries and functions with long established KPIs such as inventory turnover or gross profit margin as a percentage of sales. 

Performance measures in the cyber-security field, being a newer discipline, does not have the same level of interest and KPIs in the way that other areas do. 

So how do you measure success in cyber-security? After all, if you can't measure it, you can't manage it. 
 

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we rarely talk about cyber-security successes. Perhaps it's because of the vast number of incidences reported in the news that we don't.  Or, perhaps it's because there are some who are only concerned about one success metric, whether a cyber-security incident has occurred or not. This is poor business practice since it does not provide a real-time snapshot of an organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor compliance to the organisation's security standard. 
The key to maintain a high level of performance in regards to implementation measurements is to establish a security baseline first, and continuously improve until you are constantly operating at or near 100%. 
Once you have a security baseline established, you should have a constant flow of information to respond to vulnerabilities as well as update your informational dashboard. 

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor how well an organisation prevents and responds to cyber incidences.  The key to maintain a high level of performance in regards to effectiveness/efficiency measurements is to have preplanned responses to a cybersecurity incident and to exercise their implementation. 

These response plans should be fed by the risk assessment conducted under the prior implementation measurements. Once completed, they should be exercised on the organisation's most valuable assets regularly and plans updated as appropriate. 
For instance, how long does it take an organisation to return a system to a secure state after a user clicks on a link in a phishing email or other attack. Can steps be taken to reduce the time it takes to make the system operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations resolved within an organisationally defined timeframe. 

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential impact of a cyber security breach and the damage conducted to organizational assets (both tangible and intangible assets). 

The key to maintain a high level of performance in regards to impact measurements is to manage the fallout from the breach effectively. It used to be that consumers would cast aside companies with a cyber-security breach. Today, it's a bit more complicated. 

An article by Doug Drinkwater in CSO magazine said that the stock price from many large corporations who suffered a cyber-security breach rose one year later. But, the damage to a brand's long-term reputation is real ranking right up there with poor customer service. 

By not managing the fallout from a cyber incident and obscuring the breach, the organisation is only exacerbating the damage to the brand and their reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information security professionals to develop their own metrics. Maybe for you and your organisation, it is better to measure success by compliance to a regulatory standard. However, many risk assessments are geared towards identifying, planning, detecting, and responding to cyber risks/vulnerabilities. The cyber resilience life cycle leaves little thought to measuring its effectiveness or relaying information to senior management. 

By developing KPIs, CISO's and information security professionals can measure success over time. These measurements can then be used to create their own dashboards to monitor performance and report it to other senior leaders. It's about time we start finding the successes to talk about rather than negative consequences.

Gary Manley

Gary Manley is Adjunct Professor Informations Systems at University of Maryland University College

You Might Also Read: 

Brand Reputation Includes Cyber Safety:
 

 

« 13 Ways Cyber Criminals Spread Malware
IBM’s AI Can Argue With Humans »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

aizoOn Technology Consulting

aizoOn Technology Consulting

aizoOn is a technology consulting company offering a range of services including IoT & embedded security, mobile security, cybersecurity assessments, risk & compliance, network monitoring and more.

Centre for the Protection of National Infrastructure (CPNI)

Centre for the Protection of National Infrastructure (CPNI)

CPNI works with the National Cyber Security Centre (NCSC), Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter cyber threats.

th4ts3cur1ty.company

th4ts3cur1ty.company

th4ts3cur1ty.company specialize in delivering intelligence lead adversary emulation purple teaming & the bespoke building of Security Operation Centers.

Cybersecurity Coalition

Cybersecurity Coalition

The mission of the Cybersecurity Coalition is to bring together leading companies to help policymakers develop consensus-driven policy solutions to achieve improvements in cybersecurity.

GB Group (GBG)

GB Group (GBG)

GBG is a global technology specialist in fraud, location and identity data intelligence.

SterlingRisk Programs

SterlingRisk Programs

SterlingRisk’s Cyber practice brings experience working with a wide array of clients across a broad spectrum of industries.

Pixm

Pixm

Pixm’s computer vision based approach offers a truly unique and effective means to protect organizations from web-based phishing attacks.

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

Stratia Cyber

Stratia Cyber

Stratia Cyber is an independent, technology agnostic company providing high quality, pragmatic cyber security consultancy and expertise.

Neosec

Neosec

We’re reinventing API security. Understanding behavior requires data, analytics, and intelligence. Neosec brings XDR techniques to application security.

Intelidata Techedge Pvt. Ltd.

Intelidata Techedge Pvt. Ltd.

Intelidata are a Global Cyber Security Consultancy and Services firm that helps companies drive growth by minimizing risk and maximizing potential.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.

Linx Security

Linx Security

The Linx Identity Security platform enables identity, security, and IT ops teams to finally control the whole identity lifecycle.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.