Posted on Sep 12, 2019
Cyber security performance can be a challenge to manage. For one thing, the usual performance management indicators — cost and revenue — don’t apply. For another, the field is always changing; new technologies evolve and threats change quickly. It’s easy to be taken by surprise, and in light of this constantly-changing threat landscape, it may be hard to know how your cyber security program is performing.
Cyber security performance management is possible, however.
It comes down to this; If you’re going to manage your cyber security program’s performance you have to be able to measure it. A surprising number of organizations who’ve invested in information security aren’t doing that: one recent survey found that 58% of respondents aren’t adequately measuring their cyber security programs against best practices.
Fortunately, there are metrics that will help you manage your cyber security performance. You just have to choose the ones that are relevant to your organization.
Cyber security performance management is pretty much what it says on the box: the process of evaluating and overseeing the effectiveness of your security program.
Good cyber security performance management tells you where your security program is succeeding, where your weak spots are, and helps your security team and leadership understand what steps you need to take to make your security program stronger.
This is done by measuring your information security program against key performance indicators (KPIs), such as:
These aren’t necessarily the only metrics to track — your security team and leadership should work together to choose the benchmarks that matter most to your organization based on your business goals, best practices and your company’s specific risk. (You may also choose to use competitors’ best practices and security budget as a KPI, for example.)
These KPIs should be easy to obtain, easily measurable, and easy to understand.
Although metrics are key, they can also be a distraction.
If you’re tracking too many metrics, or if your KPIs are subjective or irrelevant, the story you’re trying to tell about your cyber security program can get distorted.
McKinsey’s James Kaplan and Jim Boehm offer the example of reports sent by the security team to senior management. Those reports feature references to “the millions of attacks the organization faces per week or per day.” While “millions of attacks” sounds impressive, those incidents are likely not from skilled cyber criminals, and are probably pretty easy to repel.
Focusing on just the number of deflected incidents can provide management with a false sense of security. Executives might think they’ve got a robust cyber security program — after all, they’re catching and resolving millions of attacks a week — when in fact the real threats are flying under the radar.
Another pitfall in cyber security management is static reporting. Organizations may be relying on metrics — like security ratings — that are only issued periodically. Those reports are snapshots capturing just one moment in time. A vendor that’s in compliance when a questionnaire is filled out is given may be out of compliance the next day.
To get better metrics, you need continuous reporting that tells you how secure your organization and extended enterprise is at any moment in time.
SecurityScorecard enables you to view and continuously monitor security ratings, easily add vendors or partner organizations, and report on the cyberhealth of your ecosystem. When an issue is detected, the platform automatically generates a recommended action plan for issue remediation in order to achieve a “target” letter grade for customers and their vendor and partner organizations.
It also provides access to breach insights and shows a clear record of issues that have impacted scores over time. Additional collaboration tools help enterprises better manage security and ensure continuous compliance with regulatory standards and frameworks.
Your metrics should tell a story about your security program: how prepared you are for an attack, the attacks that have been discovered and resolved, the vulnerabilities that made those incidents possible and the steps being taken to close those holes in the security program. Continuous, automatic reporting can help you do that.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.