Cybersecurity has become one of the most important topics of discussion in the corporate world, with tech-savvy boards investing millions into cybersecurity solutions and products to protect their corporate assets. With cybersecurity becoming a C-level issue and a business concern instead of a technical one, CISOs can command higher budgets and invest more time and effort into implementing security frameworks; however, this also means that the board wants to see a return on their security investment. This is where cybersecurity metrics come into play.
The 6 C’s of Cybersecurity
A technical definition of a cybersecurity metric would be something quantifiable that allows you to monitor the performance of your cybersecurity program. Creating and tracking these metrics provides the CISO and the board with relevant insights into how well their security program is performing and whether the implemented controls are working. However, these metrics do not exist in a vacuum. They form one part of an overall cybersecurity framework. A good framework consists of the 6 C’s, which are foundational principles that lead to effective cybersecurity management:
- Culture: A security culture is intangible and something that no security product can track. It is only created with practical training and awareness and must be cultivated over time. No technical control can compete with a well-trained and security-aware workforce.
- Compliance: Companies must comply with various regulations and mandates depending on the industry they operate in, such as PCI DSS, HIPAA, GDPR, etc. and may have to be compliant with their clients, or flow down from their customers. Implementing these frameworks leads to a solid foundation and helps avoid regulatory and contract violations.
- Controls: Security controls do not simply consist of technical controls, but form part of a larger defense-in-depth strategy consisting of technical, administrative, and physical controls. All of them work together to form a practical cybersecurity framework.
- Continuous monitoring: This is where metrics come into play, as it is only through regular monitoring and tracking of the security posture of your network, applications, and systems that we can know whether the controls are working.
- Collaboration: Sharing threat intelligence is a critical need in today’s world due to the number of attacks and threat actors present. By ensuring collaboration with agencies, industry experts, law enforcement, etc., companies can be aware of new threats and adjust their defenses in time.
- Competition: If not right now, tomorrow every customer contract will have cybersecurity requirements. Having a developed and mature cybersecurity program will separate you from the competition who does not have a solid program or one that has been compromised.
Introducing cybersecurity metrics
We briefly touched upon cybersecurity metrics and how they allow you to monitor the performance of a cybersecurity program and provide insights into the same; however, a common misconception is that these metrics are only technical. As we saw from the 5 C’s, a cybersecurity program is more than just technical controls, and metrics must reflect the same.
They can broadly be categorized into the following categories.
- Operational: These metrics track operational and tactical activities such as the status of a vulnerability management program, incident response times, etc. CISOs can ascertain whether day-to-day security tasks are optimized by tracking these tactical metrics.
- Strategic: These metrics are high-level and focus on whether the cybersecurity program’s overall strategic aspects work (for example, the cybersecurity budget consumption or the number of locations covered within the scope of a certification like ISO 27001). By tracking these metrics, the CISO and the board are able to make longer-term decisions on cybersecurity projects.
- Compliance metrics: As the name implies, compliance metrics focus on how well compliance-related initiatives perform (for instance, the number of assets compliant with the PCI DSS requirements or how many systems are out of compliance). These are essential for tracking your environment’s potential risks of non-compliance with industry regulations.
Metrics can also fall into Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs) within cybersecurity. KPI metrics focus more on performance and inform the CISO if the cybersecurity program meets its goals. An example A KPI metrics would be the number of employees that have been trained or the number of incidents that are happening. On the other hand, KRI informs the CISO about the potential risk of cybersecurity attacks and incidents such as the number of unpatched vulnerabilities or the number of open findings from a security penetration test.
What makes a good cybersecurity metric
Good security metrics must have certain attributes to provide value; otherwise, we would waste time in tracking a measure that provides no indication about how good our cybersecurity posture is. Some of the features of a good cybersecurity metric are:
- Relevancy: The metric pertains to your company’s business model and technical profile. A company with no online presence tracking DDOS attacks regularly might not be relevant and provide no value.
- Quantifiable: Being quantifiable makes it easier to identify and analyze if a metric is performing or not. For example, the time taken to respond to an incident can be tracked in hours or days, showing whether the improvement is happening over time.
- Simple: Contrary to popular belief, metrics do not have to be complex or too technical. The simpler the metric, the easier it will be to communicate to a broader audience of stakeholders and get further buy-in into the cybersecurity program.
- Actionable: The metric lends itself to taking tangible action and decisions based on the information it provides. For example, if the time to respond metric is getting longer, the incident response process might have bottlenecks that must be removed.
- Timely: The metric should be real-time or near to it, allowing CISO to adjust and refine controls as needed.
Top 5 Cybersecurity Metrics Your Business Should Track
Keeping the points mentioned above in mind, let us look at a few of the critical cybersecurity metrics every business must keep in mind to maintain an adequate cybersecurity posture:
- Patch and Vulnerability Management: Monitoring the effectiveness of patched vs. unpatched systems is a crucial metric for assessing an environment’s security. An unpatched or vulnerable system can be the doorway through which an attacker enters an environment and is thus a key metric to keep track of regularly. Monitoring the duration between a reported vulnerability and its mitigation is also essential.
- Time to detect and respond: Security incidents are inevitable; thus, monitoring the effectiveness of the security incident response mechanisms present within an environment is essential. The time window between an incident detected and responded to should be as short as possible. Monitoring this metric will enable the identification of bottlenecks and areas of improvement.
- Security Awareness levels: Most companies have awareness programs in place; however, few bother to monitor their effectiveness over time. This can be done via assessments, completion rates, and knowledge checks, and reported as a percentage of the total workforce. A well-trained employee can be the difference between a failed or successful cyberattack.
- Number and type of security incidents: A key metric to monitor is the number and type of incidents that occur over time. Security incidents can range from a variety of types, such as ransomware, DDOS attacks, social engineering, web application attacks, etc., and this metric will enable you to identify which controls require more fine-tuning. This can also be used to justify investment in security tooling based on the number of high-risk incidents occurring.
- The financial impact of security incidents: A critical strategic metric is the estimated or potential financial impact of security incidents. This is essential for monitoring the organization’s exposure to security incidents, including regulatory fines, data loss, downtime, etc. comparable to the previous metric, monitoring these areas will enable CISOs to highlight which areas can have the most significant impact on a company and justify security spending.
For a security program to be effective, it must be monitored and have metrics in place. Cybersecurity metrics, provided they meet the criteria we discussed earlier, can be an essential tool to monitor the performance of your security program over time and provide an objective way to assess whether it is working. By incorporating the best practices we have discussed and consistently monitoring these metrics, CISOs can proactively identify which areas to focus on and improve over time.