It can be difficult to measure the value you’re getting from your investment in cyber security because you may not really notice that it’s working until you have an intruder. At the same time, business leaders ask for cyber security KPIs so they can justify the expense. So how do you measure something that is designed to keep you safe?
Think about why you have smoke detectors, fire extinguishers, and fire drills. If you go year after year without a fire incident, does that mean you wasted your money on fire safety equipment and training? Certainly not. But you can’t measure value by the number of fires you didn’t have.
What you have to look at is how effective you are in following fire safety practices and regulations. And that’s similar to what you have to do with cyber security too.
Measure Cyber Security Value by Readiness
For small and medium-sized businesses, the best way to measure cyber security is by your level of readiness.
The way you determine readiness is to look at the cyber safety tactics you have in place. These tactics can be categorized by their focus on:
Adapt the following cyber security KPIs to your organization, and you’ll be able to communicate the value of ongoing cyber security.
10 Cyber Security KPIs
- Security Policies KPI – Do we have appropriate policies to document secure behavior? Are we training employees in their use? How successful are we in enforcing policies?
- Security Strategy KPI – Are we regularly meeting with our Technology Advisor or vCISO to review our strategy? What improvements have we implemented? What improvements have been recommended that we have yet to implement?
- Vulnerability Management KPI – How many severe or critical vulnerabilities are found each reporting period? Are we trending down compared with the last scan?
- Compliance KPI – Are we successfully maintaining compliance? If not, where are we slipping, and what do we need to do to adjust?
- MFA KPI – What percentage of accounts are using MFA? Are non-MFA accounts being monitored?
- Password Management KPI – Are we enforcing password management best practices for length, complexity, and updates?
- Account Privileges KPI – Does each employee have access to only the data and systems they need to do their job? Do we have alerts set up to notify us when account privileges are changed?
- Cyber Security Awareness Training KPI – Are all employees enrolled in ongoing training? Who needs more practice based on feedback from phishing simulations? Is our Phish-Prone Percentage trending down?
- EDR and AV KPI – Is EDR and AV installed on all devices? If it’s missing, is there a reason why? Of the incidents that needed response, how many were false positives and how many were malicious programs?
- Software Patching KPI – Are we updating all software with security patches? Is this process automated? Is third-party software being patched?
Overarching Security Considerations for Your Organization
1. Security Policies
Look to your security policies for measurable indicators of your cyber security readiness. Your policies document how you want employees to act in certain situations. You may use other tactics (including technical tools) to enforce policies, but teaching employees what is expected regarding secure behavior is foundational to cyber readiness.
KPI – Do we have appropriate policies to document secure behavior? Are we training employees in their use? How successful are we in enforcing policies?
2. Security Strategy Review and Improvement
It’s beyond the scope of this article to detail all of the technical tactics that every organization should be using for cyber security. However, a business level measurement you can use to determine if you’re staying up to date with modern cyber security tactics would be how often you review your security strategy and implement improvements.
KPI – Are we regularly meeting with our Technology Advisor or vCISO to review our strategy? What improvements have we implemented? What improvements have been recommended that we have yet to implement?
3. Identify Weaknesses
Tactics that look for weaknesses in your security layers will feed your security strategy.
Your network is constantly changing – users are being added and subtracted, data is being created, connections are added and removed – and your security strategy needs to be dynamic too.
Vulnerability scanning searches for and identifies gaps that need to be closed.
KPI – How many severe or critical vulnerabilities are found each reporting period? Are we trending down compared with the last scan?
4. Adherence to Compliance Frameworks
If you’re in a regulated industry, your success at attaining and maintaining compliance is a very relevant component of your cyber security health. Likewise, if your customer or vendor mandates that you follow a common framework like NIST as a requirement for doing business, you’ll need to know and communicate that you’re adhering to their standards.
Keep in mind that compliance does not equal security. Your security strategy will include components that aren’t necessarily wrapped into your compliance tactics.
KPI – Are we successfully maintaining compliance? If not, where are we slipping, and what do we need to do to adjust?
Individuals Are Your First Line of Defense
Your people are your first line of defense against cyber attacks, and they can intentionally or unintentionally bypass all of your other security measures by their actions.
There are three security layers that you should use to measure employees’ cyber security readiness.
1. Multi-Factor Authentication (MFA)
Check if MFA has been deployed to all accounts and monitor that its use does not slip. If there are accounts exempted from using MFA – like emergency administrator accounts – track those accounts to ensure they’re used solely for administrative purposes.
KPI – What percentage of accounts are using MFA? Are non-MFA accounts being monitored?
2. Password Management
Just because you have everyone using MFA doesn’t mean you don’t need good password management. You do. Passwords should have a minimum length and follow complexity requirements. Many security professionals recommend changing your password once or twice a year.
KPI – Are we enforcing password management best practices for length, complexity, and updates?
3. Account Privileges
Management of privileges goes hand in hand with password management because it’s the next layer needed to control access to IT systems and data. Privileges for each account should be documented and monitored.
KPI – Does each employee have access to only the data and systems they need to do their job? Do we have alerts set up to notify us when account privileges are changed?
4. Cyber Security Awareness Training
Employees need to know how to recognize and respond to potential phishing and social engineering attacks. That’s where cyber security awareness training comes in. An annual workshop won’t make the impact on individual behavior that you need, so training needs to be ongoing and individualized.
KPI – Are all employees enrolled in ongoing training? Who needs more practice based on feedback from phishing simulations? Is our Phish-Prone Percentage trending down?
Device Level Security
Just as you must look at the level of cyber security readiness for computer users, you can review each individual machine or device for deployment of next-gen security tools and use of security best practices.
1. Endpoint Detection and Response (EDR) and Antivirus (AV)
With EDR and AV, you get the ability to detect and respond to both known and unknown threats. EDR watches for network traffic patterns to identify abnormal traffic. AV responds to malware that’s been installed on a device. You need both.
KPI – Is EDR and AV installed on all devices? If it’s missing, is there a reason why? Of the incidents that needed response, how many were false positives and how many were malicious programs?
2. Software and Operating System Patching
Keeping software up to date with the latest security patches is a traditional security tactic that continues to be necessary. Vulnerabilities in unsupported software (including operating systems) are known targets for cyber criminals.
KPI – Are we updating all software with security patches? Is this process automated? Is third-party software being patched?
Cyber Security Metrics Measure Readiness
Do you get the idea now that cyber security key performance indicators are tied up with readiness? It would certainly be interesting to know how many intruders were repelled because of your security, but in the end, that’s not the kind of data that moves you forward.
You should now be able to start tracking your security KPIs. Create a simple spreadsheet and begin. In fact, processing your security strategy in this way can even help you understand it better, which will help you communicate the value of security in the long run.
Accent Managed Security Services for Southern California Companies
Here at Accent, we work with clients to craft and implement cyber security strategies that meet their safety, compliance, and business sustainability goals.
If the way your managed IT service provider is handling security doesn’t give you confidence and peace of mind, we should talk. Contact us for a cyber security assessment.