Key performance indicators (KPIs) are an effective way to measure the success of your cybersecurity program and aid in decision-making.
According to PwC, just 22 percent of Chief Executive Officers believe their risk exposure data is comprehensive enough to form decisions. A figure that - alarmingly - hasn't changed in 10 years. The EY Global Information Security Survey supports this with only 15% of organizations saying their information security (InfoSec) reporting fully meets their expectations.
Why are cybersecurity metrics important?
As Peter Drucker said, what gets measured, gets managed - and cybersecurity is no different. If you can't measure your security efforts, you won't know how you're tracking.
Cybersecurity is not a one-time affair. Cyber threats are constantly evolving and the processes and technology needed to prevent them are constantly changing. You need to have measures in place to frequently assess the effectiveness of the safeguards you have invested in.
This is important for two reasons:
- Analysis of KPIs, key risk indicators (KRIs) and security postures provides a snapshot of how your security team is functioning over time. Helping you better understand what is working and what is worsening, improving decision making about future projects.
- Metrics provide quantitative information that you can use to show management and board members you take the protection and integrity of sensitive information and information technology assets seriously.
Reporting and providing context on cybersecurity metrics is being an important part of the job for many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs), driven by increasing interest in reporting at the shareholder, regulatory and board levels.
This has been driven by new regulations like the Gramm-Leach-Bliley Act, NYDFS Cybersecurity Regulation, PIPEDA and CPS 234. Pair this with extraterritorial data protection laws like GDPR, CCPA and LGPD and security management becomes a key focus for every organization.
The best IT security professionals use metrics to tell a story, especially when giving a report to non-technical colleagues.
14 Cybersecurity KPIs to track
Below are examples of clear metrics you can track and present to your stakeholders:
- Level of preparedness: How many devices on your network are fully patched and up to date? Vulnerability scans and vulnerability management is one of the 20 CIS Controls that can reduce the risk of vulnerability exploits.
- Unidentified devices on internal networks: Employees can introduce malware and other cyber risks when they bring in their own devices, as can poorly configured Internet of Things (IoT) devices, which is why network intrusion detection systems are an important part of your organization's security.
- Intrusion attempts: How many times have bad actors attempted to gain unauthorized access?
- Security incidents: How many times has an attacker breached your information assets or networks?
- Mean Time to Detect (MTTD): How long do security threats go unnoticed? MTTD measures how long it takes your team to become aware of indicators of compromise and other security threats.
- Mean Time to Resolve (MTTR): What is the mean response time for your team to respond to a cyber attack once they are aware of it? A great measure of the quality of your incident response plan implementation.
- Mean Time to Contain (MTTC): How long does it take to close identified attack vectors?
- First party security ratings: Security ratings are often the easiest way to communicate metrics to non-technical colleagues through an easy-to-understand score. UpGuard gives your company a simple A-F letter grade based on 50+ criteria including network security, phishing risk, DNSSEC, email spoofing, social engineering risk, DMARC, risk of man-in-the-middle attacks, data leaks and vulnerabilities. Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention.
- Average vendor security rating: The threat landscape for your organization extends beyond your borders and your security performance metrics must do the same. This is why vendor risk management and a robust third-party risk management framework is required. UpGuard's Executive Summary Report provide you with instant access to your average vendor rating over the last twelve months, as well as your distribution of vendor ratings. Traditional vendor management practices were limited to a snapshot of your vendor security ratings at a single point in time. By continuously monitoring vendor risks, you can greatly reduce your third-party and fourth-party risk.
- Patching cadence: How long does it take your team to implement security patches or mitigate high risk CVE-listed vulnerabilities? Cybercriminals often use threat intelligence tools and exploit the lag between patch releases and implementation. A great example of this is the widespread success of WannaCry, a ransomware computer worm. While WannaCry exploited a zero-day vulnerability called EternalBlue, it was quickly patched but many organization fell victim anyway due to poor patching cadence.
- Access management: How many users have administrative privileges? Access control and the principle of least privilege are simple, cost effective methods of reducing privilege escalation attacks.
- Company vs peer performance: The topic metric for board level reporting today is how your organization's cybersecurity performance compares to the peers in your industry. This information is easily digestable, visually appealing and highly compelling which makes it a top choice for board presentations. UpGuard's Executive Summary Report allows you to easily benchmark your security performance against four key industry peers over the last twelve months.
- Vendor patching cadence: This metric involves determining how many risks your vendor has and how many critical vulnerabilities are yet to be remediated.
- Mean time for vendors to respond to security incidents: A security incident isn't just a successful cyber attack, intrusion attempts to vendors can signify your organization as a potential target. The longer it takes vendors to respond to incidents, the higher the chance you will suffer from a third-party data breach. In fact, some of the biggest data breaches are result of poor vendor management.
How to choose the right cybersecurity metrics
There is no hard and fast rule for choosing cybersecurity KPIs and KRIs. These metrics will depend on your industry, organization's needs, regulations, guidelines, best practices and ultimately, you and your customer's appetite for risk.
That said, you will want to choose metrics that are clear to anyone, even non-technical stakeholders. A good rule of thumb is if your non-technical stakeholders can't understand them, you need to pick new metrics or do a better job of explaining them.
Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.
And remember that one of the most important metrics is cost. Remember the goal of presenting to the executive team and board is to make a succinct point about how cybersecurity is saving the organization money or generating additional revenue.
This shouldn't be too hard to justify, given that the average data breach costs organizations $3.92 million globally and $8.19 million in the United States.
Outside of the metrics outlined above, the CIS Controls provide a cost effective, prioritized list of security controls.
How UpGuard automate your cybersecurity reporting
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
Use our Executive Summary dashboard to report on important cybersecurity metrics instantly.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and providing vendor questionnaire templates that map to the NIST Cybersecurity Framework and other best practices. We can help you continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.