Cybersecurity Has A Metrics Problem

Uploaded on 2017-05-12 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. How are you doing at measuring risk in your organisation? 

Almost 4.2 billion records were exposed in 4,149 data breaches in 2016, according to a recent report from Risk Based Security. 

The worst-hit sectors were businesses at 51 percent of reported breaches, surpassing unknown (23.4 percent), government (11.7 percent), medical (9.2 percent) and education (4.7 percent) industries. While the number of data breaches remained about the same in 2015 and 2016, the number of records compromised skyrocketed last year. 

But wait, the Identity Theft Resource Center said there were 1,093 reported data breaches in 2016, 40 percent more than the 780 breaches in 2015. Confusing things further, the Privacy Rights Clearing House counted 538 breaches occurring in 2016 with just over 11 million records lost. 

To be sure, there are plenty of explanations, different definitions, regional exceptions and so on to account for the conflicting numbers. If you add in disparate definitions of “security incidents,” numbers of “vulnerabilities,” “threats” or even what’s included under “cybersecurity,” you will see that different organisations use different terms, accounting and approaches, making apples-to-apples comparisons very hard.

But enough about tabulating industrywide security metrics. How are you doing at measuring risk in your organisation? 

Sadly the gap between management expectations and reality usually gets worse when serious academic rigor is applied to measuring local cybersecurity programs. Many governments are just happy to have any security metrics at all. Often, easy-to-find items like “spam emails blocked” or “viruses detected and eliminated” are the only things counted, since network and security tools easily capture these cyber-alerts. 

Digging deeper, is your security health report truly measuring risk and evaluating future investments in people, process and technology? No doubt, reporting big numbers to managers (often measured in the millions of hostile data elements removed) looks impressive on management reports, but has anyone asked tough questions about these reports lately? 

Have you ever matched the metrics you’re collecting to management decision-making? Are the relevant definitions clear and consistent?

  • Is the threat intelligence data reliable? What is the process for creating security action items and priority levels? Who is (truly) looking at the captured data in a timely manner?
  • Where can leadership turn for answers during an incident?
  • What can be done?

Here are three steps you can take to strengthen cybersecurity metrics, communicate risk levels, and recommended actions to the right people up and down the management chain.

Know your enterprise security data, collection capabilities, policies and current reports. Who is doing what regarding your organization’s metrics collection processes now? Review risk assessments and security operation capabilities that are already in place from an end-to-end perspective. Ask what reports are really being read and used, and by whom. 

Talk to top executives, financial staff, external partners and your internal team about “must have,” “nice to have” and “wasteful” metrics. What compliance reports are required by auditors? How can internal and external partners help? What risk-measuring results are expected? Consider if cyber-insurance checklists and processes can help document risk-reducing steps that lower premium costs. 

Build (and use) a meaningful security dashboard for executives. Make sure the detail behind the metrics are real. As you build your future metrics model, examine best practices and talk with industry peers to understand what is working in your business sector. A few years back, the National Governors Association’s Resource Center for State Cybersecurity helped to build a template that can be used for government security dashboards. These templates are a helpful start. The Center for Internet Security consensus metrics are also valuable. 

Building security metrics, measuring risk and improving cyber incident communications aren’t “one and done” processes. Seek to constantly improve and refine cybersecurity metrics, while maintaining your data. 

GovTech:

You Might Also Read:

Time To Speak The Language Of Risk:

Cultural Strategies For Data Security (£):

Cyber Security is Now Business Critical (£):

Make The Most Of Data Analytics:


 

« Hackers Stole A £60,000 BMW
Macron Hackers Linked To Russian Intelligence »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Endace

Endace

Endace is a leader in network visibility, network recording and packet capture solutions for security, network and application performance monitoring.

Latham & Watkins LLP

Latham & Watkins LLP

Latham & Watkins is an international law firm. Practice areas include Data Privacy, Security and Cybercrime.

Duane Morris LLP

Duane Morris LLP

Duane Morris is a global law firm with offices in the USA, UK and Asia. Practice areas include Cybersecurity.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

Secmentis

Secmentis

Secmentis is a cyber security consultancy specializing in penetration testing, threat intelligence, and proactive defense for your IT infrastructure.

Haystax Technology

Haystax Technology

Haystax’s security analytics platform applies artificial intelligence techniques to identify and prioritize threats in real time.

Nok Nok Labs

Nok Nok Labs

Nok Nok is a market leader in next generation authentication for cloud, mobile and IoT applications.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

AnyTech365

AnyTech365

AnyTech365 is a leading European IT Security and Support company helping end users and small businesses have a worry-free experience with all things tech.

RiverSafe

RiverSafe

RiverSafe is a professional services provider specialising in Cyber Security, Data Operations and DevOps, putting security at the heart of everything we do.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

Trustack

Trustack

Trustack services cover connectivity, infrastructure services, security, unified comms, agile working and more. Our team of consultants deliver customised solutions tailored to your needs.

Mobilen Communications

Mobilen Communications

Mobilen are dedicated to providing our customers with the highest level of secure data in transit and to bring privacy back to a mobile world.