How to Measure Cybersecurity Success

When performance is measured, performance improves. When performance is measured and reported back, the rate of improvement accelerates.   By Gary Manley

Key Performance Indicators (KPIs) are fundamental to determining success in business. There are many industries and functions with long established KPIs such as inventory turnover or gross profit margin as a percentage of sales. 

Performance measures in the cyber-security field, being a newer discipline, does not have the same level of interest and KPIs in the way that other areas do. 

So how do you measure success in cyber-security? After all, if you can't measure it, you can't manage it. 
 

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we rarely talk about cyber-security successes. Perhaps it's because of the vast number of incidences reported in the news that we don't.  Or, perhaps it's because there are some who are only concerned about one success metric, whether a cyber-security incident has occurred or not. This is poor business practice since it does not provide a real-time snapshot of an organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor compliance to the organisation's security standard. 
The key to maintain a high level of performance in regards to implementation measurements is to establish a security baseline first, and continuously improve until you are constantly operating at or near 100%. 
Once you have a security baseline established, you should have a constant flow of information to respond to vulnerabilities as well as update your informational dashboard. 

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor how well an organisation prevents and responds to cyber incidences.  The key to maintain a high level of performance in regards to effectiveness/efficiency measurements is to have preplanned responses to a cybersecurity incident and to exercise their implementation. 

These response plans should be fed by the risk assessment conducted under the prior implementation measurements. Once completed, they should be exercised on the organisation's most valuable assets regularly and plans updated as appropriate. 
For instance, how long does it take an organisation to return a system to a secure state after a user clicks on a link in a phishing email or other attack. Can steps be taken to reduce the time it takes to make the system operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations resolved within an organisationally defined timeframe. 

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential impact of a cyber security breach and the damage conducted to organizational assets (both tangible and intangible assets). 

The key to maintain a high level of performance in regards to impact measurements is to manage the fallout from the breach effectively. It used to be that consumers would cast aside companies with a cyber-security breach. Today, it's a bit more complicated. 

An article by Doug Drinkwater in CSO magazine said that the stock price from many large corporations who suffered a cyber-security breach rose one year later. But, the damage to a brand's long-term reputation is real ranking right up there with poor customer service. 

By not managing the fallout from a cyber incident and obscuring the breach, the organisation is only exacerbating the damage to the brand and their reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information security professionals to develop their own metrics. Maybe for you and your organisation, it is better to measure success by compliance to a regulatory standard. However, many risk assessments are geared towards identifying, planning, detecting, and responding to cyber risks/vulnerabilities. The cyber resilience life cycle leaves little thought to measuring its effectiveness or relaying information to senior management. 

By developing KPIs, CISO's and information security professionals can measure success over time. These measurements can then be used to create their own dashboards to monitor performance and report it to other senior leaders. It's about time we start finding the successes to talk about rather than negative consequences.

Gary Manley

Gary Manley is Adjunct Professor Informations Systems at University of Maryland University College

You Might Also Read: 

Brand Reputation Includes Cyber Safety:
 

 

« 13 Ways Cyber Criminals Spread Malware
IBM’s AI Can Argue With Humans »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Oxygen Forensics

Oxygen Forensics

Oxygen Forensics offer the most advanced forensic data examination tools for mobile devices and cloud services.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

KE-CIRT/CC

KE-CIRT/CC

KE-CIRT/CC is the national Computer Incident Response Team for Kenya.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

SAASPASS

SAASPASS

SAASPASS is a full-stack identity and access management solution, a single product which allows you to manage all your digital and physical access needs securely and conveniently.

Uhuru Corp

Uhuru Corp

Uhuru offers a wide variety of IoT products and solutions including enebular® IoT Orchestration Service.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

VaultOne

VaultOne

VaultOne is a next-generation security solution that addresses security issues from different domains (Password Manager, Secure Access, PAM, Identity Management) as a single, integrated solution.

KBR

KBR

To help governments and other agencies to combat cyber threats, KBR is safeguarding their most valuable systems with sophisticated tools, hardware and training.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Strata Identity

Strata Identity

Strata is pioneering identity orchestration to unify on-premises and cloud-based authentication and access systems for consistent identity management in multi-cloud environments.

QAlified

QAlified

QAlified offer independent testing and quality assurance services for software projects including security testing.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.

ZeroGPT

ZeroGPT

ZeroGPT.com stands at the forefront of AI detection tools, specializing in the precise identification of ChatGPT-generated text.

Zanutix Consulting

Zanutix Consulting

Zanutix specialize in a wide range of services including Network Design and Implementation, Data Management, Cloud Solutions, Software Development and Cybersecurity.