Key performance indicators (KPIs) are an effective way to measure the success of any program (including cybersecurity) and aid in decision-making.
According to PwC, just 22 percent of Chief Executive Officers believe their risk exposure data is comprehensive enough to form decisions. A figure that - alarmingly - hasn't changed in 10 years.
In this post, we discuss 14 actionable cybersecurity metrics to help you take ownership of your risk identification and remediation efforts.
Why are Cybersecurity Metrics Important?
As Peter Drucker said, what gets measured, gets managed - and cybersecurity is no different. If you can't measure your security efforts, you won't know how you're tracking.
Cybersecurity is not a one-time affair. Cyber threats are constantly evolving and the processes and technology needed to prevent them are constantly changing. You need to have measures in place to frequently assess the effectiveness of the safeguards you have invested in.
This is important for two reasons:
- Analysis of KPIs, key risk indicators (KRIs), and security postures provides a snapshot of how your security team is functioning over time. Helping you better understand what is working and what is worsening, improving decision-making about future projects.
- Metrics provide quantitative information that you can use to show management and board members you take the protection and integrity of sensitive information and information technology assets seriously.
Reporting and providing context on cybersecurity metrics is being an important part of the job for many Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs), driven by increasing interest in reporting at the shareholder, regulatory, and board levels.
This has been driven by new regulations like the Gramm-Leach-Bliley Act, NYDFS Cybersecurity Regulation, PIPEDA, and CPS 234. Pair this with extraterritorial data protection laws like GDPR, CCPA, and LGPD and security management becomes a key focus for every organization.
The best IT security professionals use metrics to tell a story, especially when giving a report to non-technical colleagues.
14 Cybersecurity KPIs to Track
Below are examples of clear KPIs and metrics you can track and present to your stakeholders:
1. Level of Preparedness
How many devices on your corporate network are fully patched and up to date? Vulnerability scans and vulnerability management is one of the 20 CIS Controls that can reduce the risk of vulnerability exploits.
2. Unidentified Devices on Internal Networks
Employees can introduce malware and other cyber risks when they bring in their own devices, as can poorly configured Internet of Things (IoT) devices, which is why network intrusion detection systems are an important part of your organization's security.
3. Intrusion Attempts
How many times have bad actors attempted to gain unauthorized access? You may need to reference firewall logs to gather this intelligence.
4. Security Incidents
How many times has an attacker breached your information assets or networks?
5. Mean Time to Detect (MTTD)
How long do security threats go unnoticed? MTTD measures how long it takes your team to become aware of indicators of compromise and other security threats.
6. Mean Time to Resolve (MTTR)
7. Mean Time to Contain (MTTC)
How long does it take to close identified attack vectors across all endpoints?
8. First Party Security Ratings
Security ratings are often the easiest way to communicate metrics to non-technical colleagues through an easy-to-understand score.
UpGuard gives your company a simple A-F letter grade to assess cybersecurity posture based on 50+ criteria in real-time including network security, phishing risk, DNSSEC, email spoofing, social engineering risk, DMARC, risk of man-in-the-middle attacks, data leaks, and vulnerabilities.
Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention.
9. Average Vendor Security Rating
The threat landscape for your organization extends beyond your borders and your security performance metrics must do the same.
This is why vendor risk management and a robust third-party risk management framework is an essential requirement for security operations. UpGuard's Executive Summary Report provide you with instant access to your average vendor rating over the last twelve months, as well as your distribution of vendor ratings. Traditional vendor management practices were limited to a snapshot of your vendor security ratings at a single point in time. By continuously monitoring vendor risks, you can greatly reduce your third-party and fourth-party risk.
10. Patching Cadence
Cybercriminals often use threat intelligence tools and exploit the lag between patch releases and implementation. A great example of this is the widespread success of WannaCry, a ransomware computer worm. While WannaCry exploited a zero-day vulnerability called EternalBlue, it was quickly patched but many organizations fell victim anyway due to poor patching cadence.
11. Access Management
12. Company vs Peer Performance
The topic metric for board level reporting today is how your organization's cybersecurity performance compares to the peers in your industry. This information is easily digestible, visually appealing and highly compelling which makes it a top choice for board presentations. UpGuard's Executive Summary Report allows you to easily benchmark your security performance against four key industry peers over the last twelve months.
13. Vendor Patching Cadence
This metric involves determining how many risks your third-party vendor has and how many critical vulnerabilities are yet to be remediated.
14. Mean Time For Vendors Incident Response
A security incident isn't just a successful cyber attack, intrusion attempts to vendors can signify your organization as a potential target. The longer it takes vendors to respond to incidents, the higher the chance you will suffer from a third-party data breach. In fact, some of the biggest data breaches are result of poor vendor management.
How to Choose the Right Cybersecurity Metrics
There is no hard and fast rule for choosing cybersecurity KPIs and KRIs. These metrics will depend on your industry, organization's needs, regulations, guidelines, best practices and ultimately, you and your customer's appetite for risk.
That said, you will want to choose metrics that are clear to anyone, even non-technical stakeholders. A good rule of thumb is if your non-technical stakeholders can't understand them, you need to pick new metrics or do a better job of explaining them.
Benchmarks and industry comparisons are an easy way to make even complex metrics understandable.
And remember that one of the most important metrics is cost. Remember the goal of presenting to the executive team and board is to make a succinct point about how cybersecurity is saving the organization money or generating additional revenue.
This shouldn't be too hard to justify, given that the average data breach costs organizations $3.92 million globally and $8.19 million in the United States.
Outside of the metrics outlined above, the CIS Controls provide a cost-effective, prioritized list of security controls.
Cybersecurity KPI Tracking by UpGuard
UpGuard streamlines cybersecurity metric tracking with instant visibility into all the variables that matter to you and your executive team.