Top 10 Cybersecurity Metrics and KPIs
 

Identifying cybersecurity risks and establishing more resilient defenses have become essential in business. Yet the path to protection is often bumpy. While there’s no universal consensus on which techniques an enterprise should use to track progress, organizations that identify relevant metrics and KPIs are far more likely to build a better cybersecurity program.

What’s needed, experts say, is visibility into the things that matter most to specific groups along with technology that supports the metrics and KPI framework, such as Mimecast’s X1 Data Analytics. Unfortunately, many companies fall short. The CyberRisk Alliance reports that nearly four out of five organizations don’t have the visibility they want across all IT and security products and services, let alone the ability to correlate data from them all.[1]

Visibility Fuels a Successful Cybersecurity Program

A starting point for establishing improved cybersecurity operations is to recognize that insight and data are crucial. However, the terms cybersecurity metrics and KPIs are often used synonymously — though they actually mean different things. The former represents tactical and often day-to-day measurement of results while the latter revolves around strategic and general measures of success.

In practical terms, KPIs are best used to drive strategic decision-making, particularly in regard to long-term objectives. These criteria are most valuable for CIOs, CSOs, CISOs, and others who guide budgets and the overall strategic direction of an organization. They focus on what’s working, what’s not working, and where improvements are possible.

However, it’s impossible to put effective KPIs in place without metrics to support them — and essentially feed in the data that’s required. Metrics deliver the quantitative data that demonstrates whether a tool, program, or initiative is performing well. At times, it may be necessary to change metrics, and it’s important to use appropriate metrics for each group or department.

Metrics and KPIs Promote Cybersecurity Operations Excellence

For example, IT and security groups might measure criteria such as unidentified devices on internal networks, intrusion attempts versus the actual number of security incidents, and incident response data. Company employees, meanwhile, might be held accountable for how often they click on bad links or violate regulatory controls such as data privacy protections. 

Likewise, a board of directors and senior executives are likely to examine metrics surrounding cyber risk, efficacy, cyber resilience, and cyber exposure. Meanwhile, a finance group would likely focus on factors such as risk reduction costs per unit, loss-to-value ratios, and control costs per IT asset.

It’s important to recognize that not all risks are equal — just as it’s important to recognize that no tool, technology, framework, or procedure can deliver a 100% guarantee that an enterprise will remain secure. Metrics must match the acceptable risk exposure level for a device, system, or department — and an organization must have a way to constantly gauge incidents, risks, and liabilities in this context.

Yet, with metrics in place, business leaders and security teams can make more informed decisions — particularly regarding the overall effectiveness of a program and what it costs. They also are in a better position to understand specific tools and technology, and which solutions deliver maximum benefits. Along with a dashboard that delivers critical security data, there’s a mechanism in place for transforming this technical data into strategic information that business analysts and the C-suite can use. 

Identify the Metrics that Really Matter

Several high-level metrics and KPIs are commonly used to improve cybersecurity operations. Among those that matter the most:

1. Intrusion attempts vs. actual security incidents. This metric offers general insight into existing vulnerabilities, the state of preparedness, and how the organization responds to attacks.
2. Mean time to detect (MTTD). This is a crucial element because the faster an organization identifies an attack, the greater the odds it can contain it with minimal damage.
3. Mean time to respond (MTTR). The ability to neutralize a threat and get systems back online is critical because as events drag out, risks and costs increase.
4. Mean time to contain (MTTC). This metric refers to the average time required to shut down all attack vectors across all endpoints and minimize the probability of any further damage.
5. Unidentified devices on the network. An ability to discover and tag unidentified devices greatly reduces the odds that someone has unauthorized access to the network.
6. Patching cadence and effectiveness. It’s vital to ensure that software patches are applied quickly and effectively. However, it’s also important to know which patches should be prioritized.
7. Training effectiveness. Ensuring that employees understand how to respond to attacks is essential. Human error is a leading cause of intrusions and breakdowns. For instance, phishing test success rates and dynamic risk scoring — part of Mimecast’s security awareness training — offer insights into how a training program is performing.
8. Peer and industry benchmark data. With independent data, it’s possible to know how an enterprise is performing compared to others in the industry. However, it’s also important to understand whether industry benchmarks are adequate so that an organization doesn’t regress to the mean.
9. Security audit compliance. This metric delivers actionable information about whether tools, technologies, and procedures are working — and where they’re falling down.
10. Third-party risk and compliance. Extended supply chains, third-party vendor apps, and APIs all represent risk. As a result, it’s vital to understand risks in the context of third-party privileges and relationships.

The Bottom Line

Improving cybersecurity operations requires focus, vigilance, the right technology, and proven training methods. Identifying useful metrics and achieving adequate visibility to apply them across all of a company’s IT and security assets can be challenging. But organizations that understand which metrics really matter for specific groups — as well as the KPIs that drive performance overall — are equipped to reduce risk and avoid potentially crippling attacks. Read how Mimecast Data Analytics can support your performance measurement.

[1] “Extended detection and response (XDR): Metrics to consider,” SC Media