You can’t manage what you don’t measure, the old adage goes, and it still proves true today, especially for your cybersecurity program. You can’t know whether your program is successful until you establish clear metrics for defining and tracking progress toward desired outcomes. Metrics are crucial for decision making, improving performance, and developing accountability. Effective cybersecurity metrics identify weaknesses, determine trends for utilizing security resources more efficiently, and judge the success or failure of the security solutions you have implemented.
Your cybersecurity risk management program is responsible for ensuring the confidentiality, integrity, and the availability of your information systems through the management of people, processes, and technology. Metrics can demonstrate the substantial value and cost savings your cybersecurity program is providing to your organization, and prevent it from being viewed as “overhead” or an expense that is not contributing to the bottom line. Additionally, cybersecurity metrics do more than inform people about the valuable work you are doing; they help shape employee perceptions and behaviors by sending a clear message about which cybersecurity initiatives are important to your organization.
Reporting Cybersecurity Metrics
Cybersecurity metrics should be reported to key stakeholders in your organization on a monthly basis; the reporting frequency required by many compliance standards. They should cover both threats and opportunities, and convey sufficient information to ensure your organization understands the cybersecurity risk to your organizational operations, its assets, and reputation, as well as individual members of your organization.
The cybersecurity metrics you report should be quantifiable, observable, and objective, for example:
- Number of port scans on Internet connection
- Number of password lockouts due to repeated failed attempts on a system or network
- Number of people who have not completed security training
- Number of patches that have not been installed
- Number of incidents and the different types of incidents
- Number of spam messages that were quarantined
- Number of malicious attempts on Internet-facing web servers
Cybersecurity Benchmarks and Baselines
Once your system has been configured to log this information, you can set benchmarks based on the performance of industry leaders or best practices used by other organizations. Benchmarks provide targets you can shoot for. You should also set baselines, used to determine whether the data you are collecting indicates your performance is improving or degrading over time. Baselining and benchmarking will help you identify trends and address gaps in your security measures. For instance, if you have an increase in the number of incidents, maybe you should consider a different anti-virus product or an additional product that identifies behavioral based malicious activity and blocks it from a device.
Once you have good log information, you can develop profiles of typical networking and user activities, and use this information to identify suspicious activity that falls outside of expected norms. Comparing your logs against your profiles provides an early warning system that can help your organization deal with threats before they can gain a foothold. For example, problems such as data leakage may be uncovered, which would indicate Data Loss Prevention (DLP) should be implemented in your environment.
Use Metrics, But Don’t Be Used by Them
While Cybersecurity metrics are great for showing trends and progress, they should not be used to measure overall security status of an organization at a single point in time. Relating a metric to risk management can be problematic because these metrics change on a daily basis. Additionally, setting goals that require a reduction in incidents over a period of time can also be counterproductive. Again, the threat landscape changes so quickly, this generally ends up being a losing battle, that results in negativity toward the metric information.
Cerium Can Help
Cybersecurity metrics can help an organization to identify problems or gaps that need to be addressed. They can also be used to assist with decision making, creating and raising cybersecurity awareness, and improving overall cybersecurity standards. Cerium Networks can assist your organization compile, retain, analyze, and report these metrics to your management team. Let our security consultants help you to demonstrate the value of cybersecurity.