How to use KPIs to generate results in Cybersecurity?Rosario
Obtaining investment from business leaders to create a mature cybersecurity program and fund initiatives is imperative to success in enterprise risk mitigation. Often, security and IT organizations struggle to gain the executive attention needed to advance their priorities and develop even basic cybersecurity capabilities.
Year after year, important initiatives lose priority to other business initiatives, pushing the adoption of important technologies or funding staff to manage critical processes. The result is an organization with increasing exposure to unwanted cybersecurity risks and challenges. Fundamental capabilities for effective security operations that enhance visibility with tools like ours are deemed too costly.
What strategies can cybersecurity personnel use to reduce the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to adequately fund the adoption of a new technology or capability?
One way is to create a reporting system that speaks executive language and summarizes hard-to-understand technology into business concepts: risk, reward, performance targets, metrics and success. Simply establishing what the core priorities of a cyber program are and then formally reporting on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention to grows naturally.
What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and the regulatory and compliance standards in play, to name a few. A basic one to keep in mind should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will consider attack surface, vulnerabilities and exposures, incidents and employee training as a good starting point.
Asset management is at the core of every program. It is impossible to protect what you don’t know or see. Yet most organizations fail to have a complete understanding of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems must be monitored.
Shadow IT, BYOD (Bring Your Own Device) and WFA (Work from Anywhere) have compounded these challenges as traditional endpoints evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch job is the corporate attack surface. Reporting the extent of that footprint, at a minimum, demonstrates awareness of what is important to the organization.
Surprisingly, many organizations cannot easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are located at any given time. This knowledge is critical and reporting it regularly to executives ensures they appreciate the scope of the program while establishing a priority to keep data current and constantly updated.
Vulnerability and patch management
This is perhaps one of the most impactful KPIs, not only because it is so important to protecting the enterprise, but because it is a constantly moving target (NIST’s national vulnerability database has more than 17,000 CVEs submitted this year alone). Most data breaches (more than 90%) exploit a known vulnerability.
An effective vulnerability management program should include scanning to identify new vulnerabilities in your infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization during the reporting period, categorization by CVE, how quickly they are remediated after discovery, and graphs that linearly show the reduction in vulnerabilities over time.
A risk register that tracks every incident in the organization, its severity, resolution and lessons learned is imperative. Therefore, it is necessary to generate awareness of the number of incidents, associated business impacts, efforts to determine root cause and mitigations.
Many organizations lack even a fundamental classification system that is well understood across the enterprise. Socializing incidents from the last reporting period with executives reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves the organization’s overall preparedness when new incidents occur.
Performance metrics may include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on basic concepts (such as think before you click or how a clean desk is a cybersecurity priority) or lessons learned from a recent simulation exercise.
All are necessary topics for discussion with executive stakeholders. Many organizations get creative in this area, featuring safety mascots or even competitions between business units.
Where to start
For organizations in the early stages of the KPI development process, a good starting point is a comprehensive dashboard.
This innovative approach to change management helps to:
– clarify vision, mission and strategic themes
– gain alignment and buy-in
– break down organizational silos
– define key objectives, initiatives and success metrics
– inform the content of the dashboard
This framework can be a valuable tool for a security team to organize its strategy and extract simple measures of success.
Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to dig deeper. Provoking a curiosity of one’s own creates focus, attention and concern. Cultivating it is one of the powerful catalysts a security team can use to mature the cybersecurity program.
Many technologists, buried in the complexities of engineering solutions and protecting bits and bytes, underutilize this simple strategy to keep their priorities in the minds of business leaders. Our advice: cultivate curiosity, generate questions and watch the investment in your ideas and programs grow.