How to Measure Cybersecurity Success

When performance is measured, performance improves. When performance is measured and reported back, the rate of improvement accelerates.   By Gary Manley

Key Performance Indicators (KPIs) are fundamental to determining success in business. There are many industries and functions with long established KPIs such as inventory turnover or gross profit margin as a percentage of sales. 

Performance measures in the cyber-security field, being a newer discipline, does not have the same level of interest and KPIs in the way that other areas do. 

So how do you measure success in cyber-security? After all, if you can't measure it, you can't manage it. 
 

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we rarely talk about cyber-security successes. Perhaps it's because of the vast number of incidences reported in the news that we don't.  Or, perhaps it's because there are some who are only concerned about one success metric, whether a cyber-security incident has occurred or not. This is poor business practice since it does not provide a real-time snapshot of an organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor compliance to the organisation's security standard. 
The key to maintain a high level of performance in regards to implementation measurements is to establish a security baseline first, and continuously improve until you are constantly operating at or near 100%. 
Once you have a security baseline established, you should have a constant flow of information to respond to vulnerabilities as well as update your informational dashboard. 

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor how well an organisation prevents and responds to cyber incidences.  The key to maintain a high level of performance in regards to effectiveness/efficiency measurements is to have preplanned responses to a cybersecurity incident and to exercise their implementation. 

These response plans should be fed by the risk assessment conducted under the prior implementation measurements. Once completed, they should be exercised on the organisation's most valuable assets regularly and plans updated as appropriate. 
For instance, how long does it take an organisation to return a system to a secure state after a user clicks on a link in a phishing email or other attack. Can steps be taken to reduce the time it takes to make the system operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations resolved within an organisationally defined timeframe. 

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential impact of a cyber security breach and the damage conducted to organizational assets (both tangible and intangible assets). 

The key to maintain a high level of performance in regards to impact measurements is to manage the fallout from the breach effectively. It used to be that consumers would cast aside companies with a cyber-security breach. Today, it's a bit more complicated. 

An article by Doug Drinkwater in CSO magazine said that the stock price from many large corporations who suffered a cyber-security breach rose one year later. But, the damage to a brand's long-term reputation is real ranking right up there with poor customer service. 

By not managing the fallout from a cyber incident and obscuring the breach, the organisation is only exacerbating the damage to the brand and their reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information security professionals to develop their own metrics. Maybe for you and your organisation, it is better to measure success by compliance to a regulatory standard. However, many risk assessments are geared towards identifying, planning, detecting, and responding to cyber risks/vulnerabilities. The cyber resilience life cycle leaves little thought to measuring its effectiveness or relaying information to senior management. 

By developing KPIs, CISO's and information security professionals can measure success over time. These measurements can then be used to create their own dashboards to monitor performance and report it to other senior leaders. It's about time we start finding the successes to talk about rather than negative consequences.

Gary Manley

Gary Manley is Adjunct Professor Informations Systems at University of Maryland University College

You Might Also Read: 

Brand Reputation Includes Cyber Safety:
 

 

« 13 Ways Cyber Criminals Spread Malware
IBM’s AI Can Argue With Humans »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Paessler

Paessler

Paessler is a leading worldwide provider of network monitoring software.

RSA Security

RSA Security

RSA provide cybersecurity products for Threat Detection and Response, Identity and Access Management, Governance, Risk and Compliance, and Fraud Prevention.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Arm

Arm

Arm delivers a complete IoT solution, from providing the IP for the chip to delivering the cloud services to securely manage the deployment of products throughout their lifecycle.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

Zamna

Zamna

Zamna (formerly VChain Technology) is an award-winning software company building GDPR compliant identity platforms for the aviation industry.

FraudScope

FraudScope

FraudScope is an AI-assisted platform that accelerates the identification of fraud, waste, and abuse.

Cyber Security Africa

Cyber Security Africa

Cyber Security Africa is a full-service Information Security Consulting firm offering a comprehensive range of Services and Products to help organizations protect their valuable assets.

Singular Security

Singular Security

Singular Security help public and private organizations minimize cybersecurity risk and pass their IT compliance audit.

BT Security

BT Security

BT provides telecommunications and network infrastructure services to keep businesses around the world connected and secure.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

PeoplActive

PeoplActive

PeoplActive is an IT consulting and recruitment services organization with leading capabilities in digital, cloud and security.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.