It’s often said that you can’t manage what you can’t measure.
When it comes to cybersecurity, there is almost too much that can be measured, both in the volume of data available and in the variety of data that can be measured.
It can be difficult to identify what is strategically important and what is noise.
What follows is an overview of how to tune out the noise and home in on the signal so you can successfully defend your organization from cybercriminals by paying attention to the right metrics.
Regardless of the size of your business or industry you’re in, if you are connected to the Internet, cybersecurity is essentially about this single question: “Are we secure?”
The title of this post is a bit of a misnomer. Executive leadership, by and large, doesn’t care about the “metrics.” They care about the story -- the pattern and trends -- that the metrics reveal. Organizations track metrics so that they can understand the broad story so that they can answer objectively “yes” to the question. As always, remember that no information security strategy is foolproof and can only decrease your risk, not eliminate it.
NIST’s Directions in Security Metrics Research outlines three uses for metrics:
With so much data available to be analyzed , it’s easy to lose sight of what’s important to answer this key question of “Are we secure” affirmatively.
The National Institute for Standards and Technology outlines five functions in its Cybersecurity Framework:
Each of these functions has metrics that can be used to determine how well each function is performing.
The metrics to be observed must be:
Where is the organization vulnerable to hacking or other cybercriminal activity? The “Identify” piece of the framework is focused on steps to assess cybersecurity risks and prioritize efforts to reduce them.
The metrics to focus on here involve identifying all physical and software assets that need to be protected, including those that are most important and data that is most at risk. Creating a risk management strategy is a crucial building block of your cybersecurity strategy.
These are your defenses that allow you to continue to deliver safe, secure infrastructure services. Included in this function are activities such as:
You must be able to discover cybersecurity events. Metrics to track here include anomalies against your baseline network operations and data flows. Continuous monitoring for events, including malicious code; personnel activity; unauthorized personnel, connections, devices, and software to verify the effectiveness of your protective measures.
Once an incident is discovered, your organization must act promptly to understand the event, mitigate the effects, and end the threat.
The key metric here is mean time to resolve (MTTR); once your team detected the threat, how long did it take to respond and address it? How compromised is your network, i.e., what level of business operation remains possible? Identify the attack path.
Every business should create an incident response plan. Read about What to Include in Your Incident Response Plan here.
The final function of the NIST framework focuses on ensuring you can restore systems and assets affected by a cybersecurity event to normal operations.
How long will it take to restore systems from backup? Were open ports exploited that need to be closed? Did the attack expose holes in your security posture?
Improvements to your security posture by including lessons learned into your future cybersecurity planning is a key part of this function. For events involving data breaches of customer data, a communication plan is also essential, both for regulatory compliance reasons and to restore customer trust.
Business leaders have no use for overly technical metrics. They want to see metrics on how the bottom line or the company’s reputation may be impacted. Here are nine useful metrics that will help you tell your organization’s cybersecurity story in a way that matters to business users and executives.
Metrics will help you track and determine the most appropriate level of cybersecurity for your organization.
Tracking time measurements may reveal the need for additional staff, or a need to outsource certain functions.
Whatever the story your cybersecurity metrics tell about your organization today, know that the story will change over time. Keep tracking metrics to identify new cybersecurity strategies, determine appropriate staffing levels, and have the capability to respond swiftly and effectively to cybersecurity incidents.