What is Cybersecurity Performance Management?

Cybersecurity performance management is the process of evaluating and overseeing the effectiveness of your security program. It can be a challenge to manage, as the usual performance management indicators — cost and revenue — don’t apply. Additionally, the field is always changing; new technologies evolve and threats are advancing quickly. It’s easy to be taken by surprise, and in light of this constantly-changing threat landscape, it may be hard to know how your cybersecurity program is performing. Cybersecurity performance management is possible, however.

If you’re going to manage your cybersecurity program’s performance you have to be able to measure it. Fortunately, there are metrics that will help you manage your cybersecurity performance. You just have to choose the ones that are relevant to your organization.

Why is cybersecurity performance management important?

Good cybersecurity performance management tells you where your security program is succeeding, where your weak spots are, and helps your security team and leadership understand what steps you need to take to make your cybersecurity program stronger.

This is done by measuring your information security program against key performance indicators (KPIs), such as:

• The time it takes to detect security-related incidents
• The time it takes to respond to security incidents
• Number of reported incidents
• The number and frequency of unreported incidents discovered after the fact
• Awareness of possible threats
• Level of preparedness
• Security training results
• The absence of unexpected security incidents
• Your organization’s security rating

These aren’t necessarily the only metrics to track — your security team and leadership should work together to choose the benchmarks that matter most to your organization based on your business goals, best practices, and your company’s specific risk. (You may also choose to use competitors’ best practices and security budget as a KPI, for example.)

These KPIs should be easy to obtain, easily measurable, and easy to understand.

What are the challenges of cybersecurity performance management?

Although metrics are key, they can also be a distraction. If you’re tracking too many metrics, or if your KPIs are subjective or irrelevant, the story you’re trying to tell about your cybersecurity program can get distorted.

McKinsey’s James Kaplan and Jim Boehm offer the example of reports sent by the security team to senior management. Those reports feature references to “the millions of attacks the organization faces per week or per day.” While “millions of attacks” sounds impressive, those incidents are likely not from skilled cybercriminals, and are probably pretty easy to repel.

Focusing on just the number of deflected incidents can provide management with a false sense of security. Executives might think they’ve got a robust cybersecurity program — after all, they’re catching and resolving millions of attacks a week — when in fact the real threats are flying under the radar.

Another pitfall in cybersecurity management is static reporting. Organizations may be relying on metrics that are only issued periodically, such as point-in-time assessments. Those reports are snapshots capturing just one moment. A vendor that’s in compliance when a questionnaire is filled out may be out of compliance the next day.

What are the benefits of security performance management?

Security performance management provides a baseline for improving an organization’s security, helps an organization make the most cost-effective decisions, increases cybersecurity return on investment, and enables leaders to efficiently utilize resources where they are needed most. It also helps connect members of an organization and facilitate conversations between the CISO, C-suite and board.

How SecurityScorecard’s security ratings help guide cybersecurity performance management

To get better metrics, you need continuous reporting that tells you how secure your organization and extended enterprise is at any moment in time.

SecurityScorecard enables you to view and continuously monitor security ratings, easily add vendors or partner organizations, and report on the cyberhealth of your ecosystem. When an issue is detected, the platform automatically generates a recommended action plan for issue remediation in order to achieve a “target” letter grade for customers and their vendor and partner organizations.

It also provides access to breach insights and shows a clear record of issues that have impacted scores over time. Additional collaboration tools help enterprises better manage security and ensure continuous compliance with regulatory standards and frameworks.

Your metrics should tell a story about your security program: how prepared you are for an attack, the attacks that have been discovered and resolved, the vulnerabilities that made those incidents possible and the steps being taken to close those holes in the security program. Continuous, automatic reporting can help you do that.

Cybersecurity performance management FAQs

What are security ratings?

Security ratings are a key component of cybersecurity performance management. Security ratings are data-driven, actionable insights that you can incorporate into your organization. Instantly rate, understand, and continuously monitor the security posture of any company worldwide. Data is collected across the internet for an objective, outside-in perspective of an organization’s cybersecurity posture.

What does security performance management look at?

Security performance management first looks over cybersecurity infrastructure. This includes tools like encryption, two-factor authentication, firewalls, anti-malware and more. On a deeper level security performance management also deals with the workforce using the infrastructure–in essence anyone that uses the tools and has access to your organization’s data.

Who should be involved in security performance management?

There are several key members that you will want to include on your security performance team. Depending on the scope of your organization, this should generally include:

• CISO
• Senior management
• Privacy officers
• Compliance officers
• Human resources
• Managers from each business line