As legendary management guru Peter Drucker said, “You can’t manage what you can’t measure.” For some business functions, such as sales and human resources, standard metrics clearly illustrate whether or not departments are on track to meet business objectives. Unfortunately, it’s not as clear-cut for security programs.
While many organizations may realize they can’t entirely eliminate cyber risk, they still need to quantify their security efforts and set thresholds to show whether they’re trending positively or introducing more risk. The right metrics help to shed light on a company’s current security posture and, more importantly, where it might have gaps, shortcomings, or areas to prioritize for future improvement.
Why Metrics Are Hard
Gathering data about security posture, risk, and program maturity can be a time-intensive exercise. This is a huge challenge because it takes away from other value-adding tasks. Another problem is that many companies lack confidence in the accuracy of their metrics. If leaders measure with incomplete and outdated data from a single source, they’re likely making the wrong conclusions.
Companies that have greater confidence in security metrics are aggregating data from numerous sources to ensure a clean, correlated, and bias-free dataset. Adding many data sources makes finding commonalities, patterns, and stronger signals across the data more accessible. Successful leaders are also tracking metrics in short time intervals—daily, hourly, or sometimes by the minute—to ensure the data is up to date, which is essential in today’s rapidly changing security landscape.
Mature security teams are also careful to align their metrics to business objectives and consider what outcomes they measure for. They ask questions such as: “Are we measuring these metrics to demonstrate that we strengthened our security posture? Or are we measuring to show that we’ve become a more efficient security team?” Because without considering outcomes, it’s challenging to show how security initiatives are helping the business succeed.
Once addressing these challenges, the most mature cybersecurity teams then identify metrics within the following five categories to provide critical insight into their security program maturity and effectiveness. Teams looking to improve their metrics should consider these recommendations in the context of their desired business outcomes and incorporate what is most essential for them to into their metrics program.
Security Posture Management
A standard metric to track is adherence to frameworks that have security maturity models like the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the Center for Internet Security (CIS) Top 20 Controls. And of course, measuring adherence to these frameworks involves a large subset of other metrics. This alone is a big project, but one that is well worth it.
To understand how all their security processes work together, companies can also measure mean dwell time, which is how long it takes to resolve security incidents – or how long a threat actor could access systems until the threat has been eradicated.
Finally, tracking the number of external-facing assets has become an important aspect in managing security posture. With cloud adoption continuing to rise, measuring your external attack surface and how it’s changing over time has become imperative.
Security Operations and Incident Response (IR)
To measure the effectiveness of the security operations center (SOC) and incident response (IR) teams, leaders can track how long an analyst is spending per alert. And when looking at the SOC as a whole, they can measure the SOC alert capacity at daily, weekly and monthly intervals. Another helpful metric is the meantime to recovery, which measures the overall speed to recovery by adding the downtime in a specific period and dividing it by the number of incidents.
Security leaders can track the percentage of identified vulnerabilities they have patched. Monitoring the vulnerabilities discovered and the patch rate at the same time intervals will let companies know if there’s consistent patching. Also, measuring the average vulnerability age will indicate whether patching cadences are on track or too slow and may introduce unnecessary risk.
Asset criticality is an important criterion to add to vulnerability management metrics. Monitoring the patch rate for critical assets can provide visibility into risk areas with the most significant impact. If patching rates are faster for critical assets, that’s a sign that priorities are in line.
A great deal of cloud risk is due to elevated privileges. By continually measuring the number of employees with admin or elevated privileges to cloud applications over time, teams will better understand if and when they need to revisit access-level policies. It is also essential to measure the number of times cloud security policies have been violated and the number of misconfigured assets within the environment. Comparing these metrics to a set of best practices, such as the CIS Foundations Benchmarks, will help to determine the effectiveness of their overall cloud security initiatives.
Executive-level metrics focus more on the business impact than the security program. Some items that might be incorporated into this type of reporting include incident costs, which measure the time required to detect and resolve an incident and translates it into the staff’s combined salary costs. Another metric area is risk quantification. If companies can quantify cyber risk beyond just incident costs, they can understand where the security program is in a digestible way for executive audiences. Frameworks organizations such as NIST and the Factor Analysis of Information Risk (FAIR) help provide guidance on quantifying information security programs.
There are endless variables and possibilities when it comes to measuring cybersecurity programs. And there’s no shortage of data that security teams have at their disposal. Successful metrics programs incorporate measurements that best match the business and program outcomes they are looking to achieve and take steps to ensure their confidence in the data that informs them.