Measuring Cyber Security: The what, why and how
CISOs need to report the key security performance and risk indicators to executive teams in way that they find meaningful and actionable.
A core pillar of a mature cyber risk program is the ability to measure, analyse, and report cyber security threats and performance. That said, measuring cyber security is not easy. On one hand business leaders struggle to understand information risk (because they usually are from a non-cyber background), while on the other, security practitioners get caught up in too much technical detail which ends up confusing, misinforming, or misleading stakeholders.
In an ideal scenario, security practitioners must measure and report cyber security in a way that senior executives understand, find useful, satisfy curiosity, and lead to actionable outcomes.
What can be measured in cyber security?
Most stakeholders usually have questions around risk, compliance, or assurance. Unfortunately, such questions usually cannot be answered using a single data point. Fortunately, there are a wide range of things that security practitioners can measure in order to address stakeholder questions and concerns. These can be broadly categorised under:
- Controls: Measures that are put in place to counter threats and reduce information risk
- Assets: Any item that is of value or is owned by the organisation
- Vulnerabilities: Weaknesses in the system that can be exploited by a threat
- Threat events: Actions initiated by a threat capable of causing harm to assets
- Security incidents: Events that successfully impacted the business in terms of disruption, downtime, system shutdown, data breach, phishing, ransomware etc.
Above categories can further be broken down in terms of numbers, time, or cost. For example, numbers can measure totals and percentages of unpatched servers, ratio of unpatched servers in comparison to the required baseline and capacity, or the number of servers possible to patch. Time can measure the amount of time it took to identify an incident, or the frequency of a particular threat over time. Cost can help measure the impact of an incident in financial terms, the cost of recovery, and the cost of lost business due to downtime.
Why focus on KPIs and not metrics?
Security practitioners must select the most relevant measurements when reporting to business teams. Most security teams focus on metrics, which provide low-level measurements related to assets, vulnerabilities, and threat events. Executive teams, on the other hand, care about key performance indicators (KPIs) and key risk indicators (KRIs) because these can help answer specific questions related to information security risk, health, preparedness, and business priorities:
- Are we secure?
- Are security investments delivering value to the business?
- Are we meeting regulatory obligations from a security perspective?
- What is our preparedness for ransomware attacks or supply chain attacks?
These are the types of questions that KPIs and KRIs help answer and this is why practitioners must be laser-focused on KPIs and KRIs to benchmark their security performance, preparedness, and effectiveness.
How can security teams measure cyber security?
Building the right measurement framework is a gradual, iterative process. Let’s explore the five main steps involved in building a security measurement cycle…