Cybersecurity never sits still. While you may have created a programme that addresses the current cyber threats towards your organisation, the chances are that it will not stay that way. New threats emerge, new techniques and technologies are put into play by cyber criminals, and employees change. You can’t manage what you don’t know, and that’s why it is important to follow a reporting regime that includes the cybersecurity performance metrics that really tell the story of how well your cyber defences are performing.
Why measure cybersecurity performance metrics?
The correct set of cybersecurity performance metrics will support your cybersecurity programme, and help your organisation make the right decisions when it comes to the future of the programme. Getting the right cybersecurity performance metrics will give the full picture to the cybersecurity team and management alike, in a way that can be tracked over time.
Tracking cybersecurity performance metrics over time will give early warning when tools or controls are no longer effective, when new tools need to be considered, or when additional resources are needed. The cybersecurity performance metrics will support decisions for budgets and spending.
Tracking and reporting cybersecurity performance metrics gives your IT security team the ability to benchmark your organisation’s security posture against similar organisations. This then enables the IT security team to understand how your cybersecurity fits into the bigger picture, once again supporting decision making.
Cybersecurity KPI metrics
In order to achieve the organisation’s goals, you need to choose the right cybersecurity KPI metrics to report on a regular basis.
The list of cybersecurity performance metrics below are just some examples of the many metrics that can be used to create a balanced report that will benefit your cybersecurity programme.
Protecting the network is vital to reducing cybersecurity risks in an organisation. The following cybersecurity performance metrics measure the effectiveness of your cyber prevention programme.
1 – Proportion of devices with endpoint protection – Endpoints such as computers, servers, and printers are among the most vulnerable elements of an organisation’s cybersecurity programme, in part because they are operated by another vulnerable element – human beings. A cybersecurity programme should consider endpoint protection on every device, and keep track of any endpoints that are not protected. The goal of this cybersecurity performance metric is a figure as close to 100% as possible.
2 – Number of users with super user or admin rights – Admin or super user accounts can be used in privilege escalation attacks. The principle of least privilege dictates that admin or super user rights should be given to as few people as possible in order to carry out their work. The number should be as low as possible.
3 – Average time to patch vulnerabilities – When vendors release security updates, how long does it take to update software? Delays to applying security patches leaves the organisation open to cyber attack through a known vulnerability. Best practice is to apply patches fast, and when patches are not available, to virtually patch in the interim. The goal is to apply patches quickly, within days or even hours of the update’s release.
4 – Number of systems with known vulnerabilities – Some systems may have known vulnerabilities. Knowing how many systems have known vulnerabilities, and what the vulnerabilities are in each system will enable your organisation to manage risk. This cybersecurity KPI is a measure of the effectiveness of your vulnerability management programme.
5 – Average vendor security rating – Supply chain attacks are an increasing threat for organisations of all sizes. A cybersecurity programme must include third party assurance of new and existing vendors on a regular basis and continuous monitoring of their cybersecurity positions. This KPI should return high security ratings and low risk ratings for all third parties used in your organisation.
6 – Cybersecurity training session results – Employees are traditionally seen as the weakest links in organisations’ cybersecurity programmes. However, employees could easily be turned into security champions through effective training. This cybersecurity performance metric will let you see who has taken and completed training, how training was delivered, and the topics that were covered. Training and reporting should include the participation of all employees from the CEO down.
7 – Security policy compliance – Security policies are only as good as the activity they refer to. A key cybersecurity KPI is how well are you performing against the expectations of security policies. Information in this KPI includes tracking and documenting exceptions, implementing configurations and compliance controls, and measuring performance against them.
Incidents of all shapes and sizes will take place regularly. How you respond to the incident is key to recovering quickly. Furthermore, analysis of the event will help your organisation learn for next time.
The following cybersecurity performance metrics measure the effectiveness of your cyber incident response.
8 – Unidentified devices on the network – Personal devices, visitor devices, or IoT devices on your network all increase security risks for your organisation. This cybersecurity performance metric will ask you to keep track of unidentified devices, and enforce a way to identify any unidentified devices. The aim of this is to be as close as possible to zero – IT security should be able to identify every device on the main network (not including any guest/ external networks).
9 – Mean time to detection – The longer it takes to detect attacks, the more damage attackers can cause. Average dwell time has dropped to 24 days, a significant improvement from 56 days in 2020, but it is still time for attackers to cause significant damage. The aim is to get as close to zero as possible.
10 – Mean time to resolution – The longer it takes to resolve a cybersecurity incident the more it will cost your organisation in downtime, reputation, customers, and money. How long did it take to resolve incidents during the last reporting period? Is this improving? The aim of this cybersecurity performance metric is to show improvement in response times, and should be measured in hours.
11 – Reported incidents – How many cyber incidents were discovered or picked up by monitoring tools over the last period? Is the rate of incidents increasing or decreasing? What are the incidents that are being reported? This cybersecurity KPI can help your organisation understand where resources need to be directed in your cybersecurity programme.
12 – Number of incidents by category – Understanding the types of incidents that you are actually experiencing will go a long way towards informing your cybersecurity programme. This metric should list attacks in the most common cyber attacks categories such as ransomware, phishing, DDoS, and so on.
13 – Cost per incident – Cyber incidents cost money, man hours, loss of productivity, and more. This cybersecurity performance metric will provide a picture of the resources used to clear up each incident. The aim is for this figure to be as low as possible.
14 – Downtime – When systems are down, employees can’t do their work, customers can’t interact with you, and orders will be unfulfilled. Downtime can be added to the cost of an incident. The goal in this cybersecurity KPI is the shorter the downtime, the better.
Choosing the right cybersecurity performance metrics
There isn’t such a thing as a prescribed list of cybersecurity KPIs. Your cybersecurity performance metrics should support your cybersecurity risk management programme, and give valuable insight to your management team and decision makers.
The cybersecurity performance metrics you collect and report should be able to tell the story to non-technical managers and cyber professionals alike, and demonstrate the value of investing in cybersecurity. Where possible your cybersecurity performance metrics should allow you to benchmark your organisation against industry standards.
Whichever metrics you choose, they should be an asset to your overall security.