Cybersecurity performance is the process of evaluating and overseeing the effectiveness of your security program. It can be a challenge to manage, as the usual performance management indicators — cost and revenue — don’t apply. Additionally, the field is always changing; new technologies evolve and threats are advancing quickly. It’s easy to be taken by surprise, and in light of this constantly-changing threat landscape, it may be hard to know how your cybersecurity program is performing. Cybersecurity performance management is possible, however.
If you’re going to manage your cybersecurity program’s performance you have to be able to measure it. A surprising number of organizations who’ve invested in information security aren’t doing that: one recent survey found that 58% of respondents aren’t adequately measuring their cybersecurity programs against best practices.
Fortunately, there are metrics that will help you manage your cybersecurity performance. You just have to choose the ones that are relevant to your organization.
Why is cybersecurity performance management important?
Good cybersecurity performance management tells you where your security program is succeeding, where your weak spots are, and helps your security team and leadership understand what steps you need to take to make your security program stronger.
This is done by measuring your information security program against key performance indicators (KPIs), such as:
- The time it takes to detect security-related incidents
- The time it takes to respond to security incidents
- Number of reported incidents
- The number and frequency of unreported incidents discovered after the fact
- Awareness of possible threats
- Level of preparedness
- Security training results
- The absence of unexpected security incidents
- Your organization’s security rating
These aren’t necessarily the only metrics to track — your security team and leadership should work together to choose the benchmarks that matter most to your organization based on your business goals, best practices, and your company’s specific risk. (You may also choose to use competitors’ best practices and security budget as a KPI, for example.)
These KPIs should be easy to obtain, easily measurable, and easy to understand.
The challenges of cybersecurity performance management
Although metrics are key, they can also be a distraction. If you’re tracking too many metrics, or if your KPIs are subjective or irrelevant, the story you’re trying to tell about your cybersecurity program can get distorted.
McKinsey’s James Kaplan and Jim Boehm offer the example of reports sent by the security team to senior management. Those reports feature references to “the millions of attacks the organization faces per week or per day.” While “millions of attacks” sounds impressive, those incidents are likely not from skilled cybercriminals, and are probably pretty easy to repel.
Focusing on just the number of deflected incidents can provide management with a false sense of security. Executives might think they’ve got a robust cybersecurity program — after all, they’re catching and resolving millions of attacks a week — when in fact the real threats are flying under the radar.
Another pitfall in cybersecurity management is static reporting. Organizations may be relying on metrics that are only issued periodically, such as point-in-time assessments. Those reports are snapshots capturing just one moment. A vendor that’s in compliance when a questionnaire is filled out is given may be out of compliance the next day.
How SecurityScorecard’s security ratings can help guide cybersecurity performance management
To get better metrics, you need continuous reporting that tells you how secure your organization and extended enterprise is at any moment in time.
SecurityScorecard enables you to view and continuously monitor security ratings, easily add vendors or partner organizations, and report on the cyberhealth of your ecosystem. When an issue is detected, the platform automatically generates a recommended action plan for issue remediation in order to achieve a “target” letter grade for customers and their vendor and partner organizations.
It also provides access to breach insights and shows a clear record of issues that have impacted scores over time. Additional collaboration tools help enterprises better manage security and ensure continuous compliance with regulatory standards and frameworks.
Your metrics should tell a story about your security program: how prepared you are for an attack, the attacks that have been discovered and resolved, the vulnerabilities that made those incidents possible and the steps being taken to close those holes in the security program. Continuous, automatic reporting can help you do that.