How to Measure Cybersecurity Success

Uploaded on 2018-06-28 in NEWS-Cybersecurity News, FREE TO VIEW, TECHNOLOGY--Resilience

When performance is measured, performance improves. When performance is measured and reported back, the rate of improvement accelerates.   By Gary Manley

Key Performance Indicators (KPIs) are fundamental to determining success in business. There are many industries and functions with long established KPIs such as inventory turnover or gross profit margin as a percentage of sales. 

Performance measures in the cyber-security field, being a newer discipline, does not have the same level of interest and KPIs in the way that other areas do. 

So how do you measure success in cyber-security? After all, if you can't measure it, you can't manage it. 
 

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we rarely talk about cyber-security successes. Perhaps it's because of the vast number of incidences reported in the news that we don't.  Or, perhaps it's because there are some who are only concerned about one success metric, whether a cyber-security incident has occurred or not. This is poor business practice since it does not provide a real-time snapshot of an organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor compliance to the organisation's security standard. 
The key to maintain a high level of performance in regards to implementation measurements is to establish a security baseline first, and continuously improve until you are constantly operating at or near 100%. 
Once you have a security baseline established, you should have a constant flow of information to respond to vulnerabilities as well as update your informational dashboard. 

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor how well an organisation prevents and responds to cyber incidences.  The key to maintain a high level of performance in regards to effectiveness/efficiency measurements is to have preplanned responses to a cybersecurity incident and to exercise their implementation. 

These response plans should be fed by the risk assessment conducted under the prior implementation measurements. Once completed, they should be exercised on the organisation's most valuable assets regularly and plans updated as appropriate. 
For instance, how long does it take an organisation to return a system to a secure state after a user clicks on a link in a phishing email or other attack. Can steps be taken to reduce the time it takes to make the system operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations resolved within an organisationally defined timeframe. 

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential impact of a cyber security breach and the damage conducted to organizational assets (both tangible and intangible assets). 

The key to maintain a high level of performance in regards to impact measurements is to manage the fallout from the breach effectively. It used to be that consumers would cast aside companies with a cyber-security breach. Today, it's a bit more complicated. 

An article by Doug Drinkwater in CSO magazine said that the stock price from many large corporations who suffered a cyber-security breach rose one year later. But, the damage to a brand's long-term reputation is real ranking right up there with poor customer service. 

By not managing the fallout from a cyber incident and obscuring the breach, the organisation is only exacerbating the damage to the brand and their reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information security professionals to develop their own metrics. Maybe for you and your organisation, it is better to measure success by compliance to a regulatory standard. However, many risk assessments are geared towards identifying, planning, detecting, and responding to cyber risks/vulnerabilities. The cyber resilience life cycle leaves little thought to measuring its effectiveness or relaying information to senior management. 

By developing KPIs, CISO's and information security professionals can measure success over time. These measurements can then be used to create their own dashboards to monitor performance and report it to other senior leaders. It's about time we start finding the successes to talk about rather than negative consequences.

Gary Manley

Gary Manley is Adjunct Professor Informations Systems at University of Maryland University College

You Might Also Read: 

Brand Reputation Includes Cyber Safety:
 

 

« 13 Ways Cyber Criminals Spread Malware
IBM’s AI Can Argue With Humans »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

SSH Communications Security

SSH Communications Security

SSH Communications Security is a leading provider of enterprise cybersecurity solutions for controlling trusted access to information systems and data.

JumpCloud

JumpCloud

JumpCloud's Directory-as-a-Service (DaaS) is the single point of authority to authenticate, authorize, and manage the identities of a business’s employees and the systems and IT resources they need.

XenArmor

XenArmor

XenArmor products include NetCertScanner, an enterprise software to scan & manage expired SSL Certificates on your local network or internet.

SecureNinja

SecureNinja

SecureNinja provides professional training, certifications & professional services related to all facets of Information Technology and Cyber Security.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

ThreadStone Cyber Security

ThreadStone Cyber Security

ThreadStone Cyber Security offer reliable, practical and affordable cyber security solutions for both large and smaller organizations that we develop and deliver ourselves from Europe.

Novastor

Novastor

NovaStor® is an award-winning, international data backup and recovery software company with solutions supporting physical, virtual and cloud environments.

MONITORAPP

MONITORAPP

MONITORAPP is responsible for complete web security. Protect your business environment with Application Security Solutions from MONTORAPP.

Iterasec

Iterasec

Iterasec provides a full range of security services to hacker-proof your products and make software engineering process secure by design.

eCentre@LindenPointe

eCentre@LindenPointe

The eCenter@LindenPointe provides assistance to the development, management and promotion of STEM (Science, Technology, Engineering, Mathematics) related business ventures.

Jericho Security

Jericho Security

Jericho Security is on a mission to defend the world from the new threats of generative AI cyber attacks.

Custom Computer Specialist (CCS)

Custom Computer Specialist (CCS)

CCS offers an extensive range of services including cybersecurity solutions, consulting, implementation, and support to help our clients maximize the value derived from IT investments.

Digital Security Authority (DSA)

Digital Security Authority (DSA)

The establishment of the Digital Security Authority, which incorporates the National CSIRT, is crucial to significantly raising the cybersecurity posture and capabilities of Cyprus.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.

Cyberleaf

Cyberleaf

Cyberleaf is simplified managed cybersecurity for MSPs, enabling top tier cyber protection for small and medium enterprise.