[BreachExchange] How to Measure Cybersecurity Success

Fri Jun 29 15:01:06 EDT 2018

https://www.cybersecurityintelligence.com/blog/how-to-measure-
cybersecurity-success-3494.html

Key Performance Indicators (KPIs) are fundamental to determining success in
business. There are many industries and functions with long established
KPIs such as inventory turnover or gross profit margin as a percentage of
sales.

Performance measures in the cyber-security field, being a newer discipline,
does not have the same level of interest and KPIs in the way that other
areas do.

So how do you measure success in cyber-security? After all, if you can't
measure it, you can't manage it.

What to Measure?

In today's world, we constantly talk about cyber breaches. However, we
rarely talk about cyber-security successes. Perhaps it's because of the
vast number of incidences reported in the news that we don't.  Or, perhaps
it's because there are some who are only concerned about one success
metric, whether a cyber-security incident has occurred or not. This is poor
business practice since it does not provide a real-time snapshot of an
organisation's cyber-security posture, only one instant in time.

Cyber Implementation Measurements
An organisation's implementation measurements are used to monitor
compliance to the organisation's security standard.
The key to maintain a high level of performance in regards to
implementation measurements is to establish a security baseline first, and
continuously improve until you are constantly operating at or near 100%.
Once you have a security baseline established, you should have a constant
flow of information to respond to vulnerabilities as well as update your
informational dashboard.

Cyber Effectiveness/Efficiency Measurements
An organisation's effectiveness/efficiency measurements are used to monitor
how well an organisation prevents and responds to cyber incidences.  The
key to maintain a high level of performance in regards to
effectiveness/efficiency measurements is to have preplanned responses to a
cybersecurity incident and to exercise their implementation.

These response plans should be fed by the risk assessment conducted under
the prior implementation measurements. Once completed, they should be
exercised on the organisation's most valuable assets regularly and plans
updated as appropriate.
For instance, how long does it take an organisation to return a system to a
secure state after a user clicks on a link in a phishing email or other
attack. Can steps be taken to reduce the time it takes to make the system
operational faster?

Example 1: Percent (%) of reported cyber-security incident investigations
resolved within an organisationally defined timeframe.

Example 2: Number of system vulnerabilities exploited by threat actors.

Example 3: Accuracy of cyber-security protection assets (i.e. intrusion
detection systems, intrusion prevention systems, firewalls, etc.)

Cyber Impact Measurements
An organisation's impact measurements are used to monitor the potential
impact of a cyber security breach and the damage conducted to
organizational assets (both tangible and intangible assets).

The key to maintain a high level of performance in regards to impact
measurements is to manage the fallout from the breach effectively. It used
to be that consumers would cast aside companies with a cyber-security
breach. Today, it's a bit more complicated.

An article by Doug Drinkwater in CSO magazine said that the stock price
from many large corporations who suffered a cyber-security breach rose one
year later. But, the damage to a brand's long-term reputation is real
ranking right up there with poor customer service.

By not managing the fallout from a cyber incident and obscuring the breach,
the organisation is only exacerbating the damage to the brand and their
reputation.

Conclusion
Much of the existing literature identifies ways for CISOs and information
security professionals to develop their own metrics. Maybe for you and your
organisation, it is better to measure success by compliance to a regulatory
standard. However, many risk assessments are geared towards identifying,
planning, detecting, and responding to cyber risks/vulnerabilities. The
cyber resilience life cycle leaves little thought to measuring its
effectiveness or relaying information to senior management.

By developing KPIs, CISO's and information security professionals can
measure success over time. These measurements can then be used to create
their own dashboards to monitor performance and report it to other senior
leaders. It's about time we start finding the successes to talk about
rather than negative consequences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180629/5db81b42/attachment.html>