What is Cyber Security Performance Management?

By Phoebe Fasulo

Posted on Sep 12, 2019

Cyber security performance can be a challenge to manage. For one thing, the usual performance management indicators — cost and revenue — don’t apply. For another, the field is always changing; new technologies evolve and threats change quickly. It’s easy to be taken by surprise, and in light of this constantly-changing threat landscape, it may be hard to know how your cyber security program is performing. 

Cyber security performance management is possible, however.

It comes down to this; If you’re going to manage your cyber security program’s performance you have to be able to measure it. A surprising number of organizations who’ve invested in information security aren’t doing that: one recent survey found that 58% of respondents aren’t adequately measuring their cyber security programs against best practices. 

Fortunately, there are metrics that will help you manage your cyber security performance. You just have to choose the ones that are relevant to your organization. 

First, what is Cyber Security Performance Management?

Cyber security performance management is pretty much what it says on the box: the process of evaluating and overseeing the effectiveness of your security program.

Good cyber security performance management tells you where your security program is succeeding, where your weak spots are, and helps your security team and leadership understand what steps you need to take to make your security program stronger. 

This is done by measuring your information security program against key performance indicators (KPIs), such as:

  • The time it takes to detect security-related incidents
  • The time it takes to respond to security incidents
  • Number of reported incidents
  • The number and frequency of unreported incidents discovered after the fact
  • Awareness of possible threats
  • Level of preparedness
  • Security training results
  • The absence of unexpected security incidents
  • Your organization’s security rating

These aren’t necessarily the only metrics to track — your security team and leadership should work together to choose the benchmarks that matter most to your organization based on your business goals, best practices and your company’s specific risk. (You may also choose to use competitors’ best practices and security budget as a KPI, for example.) 

These KPIs should be easy to obtain, easily measurable, and easy to understand. 

Why cyber security performance management can be tricky 

Although metrics are key, they can also be a distraction. 

If you’re tracking too many metrics, or if your KPIs are subjective or irrelevant, the story you’re trying to tell about your cyber security program can get distorted. 

McKinsey’s James Kaplan and Jim Boehm offer the example of reports sent by the security team to senior management. Those reports feature references to “the millions of attacks the organization faces per week or per day.” While “millions of attacks” sounds impressive, those incidents are likely not from skilled cyber criminals, and are probably pretty easy to repel. 

Focusing on just the number of deflected incidents can provide management with a false sense of security. Executives might think they’ve got a robust cyber security program — after all, they’re catching and resolving millions of attacks a week — when in fact the real threats are flying under the radar. 

Another pitfall in cyber security management is static reporting. Organizations may be relying on metrics — like security ratings — that are only issued periodically. Those reports are snapshots capturing just one moment in time. A vendor that’s in compliance when a questionnaire is filled out is given may be out of compliance the next day. 

How SecuritySecorecard can help

To get better metrics, you need continuous reporting that tells you how secure your organization and extended enterprise is at any moment in time. 

SecurityScorecard enables you to view and continuously monitor security ratings, easily add vendors or partner organizations, and report on the cyberhealth of your ecosystem. When an issue is detected, the platform automatically generates a recommended action plan for issue remediation in order to achieve a “target” letter grade for customers and their vendor and partner organizations. 

It also provides access to breach insights and shows a clear record of issues that have impacted scores over time. Additional collaboration tools help enterprises better manage security and ensure continuous compliance with regulatory standards and frameworks.

Your metrics should tell a story about your security program: how prepared you are for an attack, the attacks that have been discovered and resolved, the vulnerabilities that made those incidents possible and the steps being taken to close those holes in the security program. Continuous, automatic reporting can help you do that.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!