Organizations continue to pour money into their cybersecurity programs, with annual spending predicted to reach nearly half a trillion dollars by 2025. Prioritizing security is a necessary response to the growing financial risks associated with a breach, but are these investments actually making companies safer? The only way to know if your cyber defenses are effective is to measure.
Don’t Assume, Measure
Many organizations develop their security programs around assumptions. For instance, assuming that their defenses are strong because they’ve passed a compliance audit or never had a breach. However, implementing controls and hoping for the best is a risky, inefficient approach. Instead, gathering empirical data to drive security decisions enables organizations to strategically allocate resources based on risk, remove redundant controls and methodically refine their defense posture over time. To obtain this data, you need to establish a standardized metrics benchmark for your organization.
What to Measure?
Establishing useful metrics is easier said than done. A 2017 survey showed that 58% of companies fail to effectively measure the performance of their security program, and one in three had no means of evaluating the return on their security investments.
There’s no industry standard set of security metrics; each organization must define its own key performance indicators (KPIs) based on its unique risk profile. Follow these guidelines to ensure you’re using meaningful metrics:
- Link metrics to business outcomes, such as minimizing critical systems downtime or reducing costs.
- Track data over short time intervals (e.g., daily, hourly) to ensure it’s current and sufficiently granular to discern patterns.
- Pull data from multiple sources to improve reliability and minimize bias.
- Don’t change metrics too frequently; simple, consistent KPIs produce less noise and allow clear trends to emerge over time.
Some key areas to focus on include:
- Vulnerability management: Consider tracking the number of systems with known vulnerabilities, the average age of unpatched vulnerabilities, critical vulnerability remediation times and the patch rate of critical systems. Metrics like these can show the trajectory of your remediation efforts and whether you are prioritizing high-risk assets and critical vulnerabilities.
- Incident response: You can evaluate your response efficiency using KPIs such as the elapsed time between incident detection and resolution, the percentage of false positive alerts and the average time analysts spend investigating each alert.
- Awareness training: Metrics like training frequency and completion rates can help track training program compliance, but assessing real improvement in your workforce’s cyber hygiene usually requires outcome-based KPIs, such as the number of self-reported incidents or security breaches attributable to human error.
Testing Your Cybersecurity Efficacy
MBL Technologies can provide an expert, comprehensive evaluation of your organization’s security posture. Our experienced penetration testers use black hat techniques to test your defenses against simulated attacks, identifying weaknesses and providing long-term, cost-effective solutions. Let us help you allocate your security resources where they’re truly needed and build an effective security program rooted in risk-based, real-world outcomes.