Measuring Your Cybersecurity Program
November 11, 2020 by Becky Metivier
Cybersecurity spending continues to rise, but cybercrime doesn’t seem to be slowing down. While there’s no shortage of new technologies to invest in, the reality is there’s no silver bullet solution to protect your organization from an attack. A layered approach, one involving people, process, and technology, is required. But how do you know what is working best for your organization? The answer is metrics!
Metrics are used to track success throughout many facets of business, and cybersecurity is no different. When you understand what is effective and what’s not, you can make better choices around what you invest in.
What are cybersecurity metrics?
Being well-informed about your cybersecurity program is essential for success. Developing and utilizing effective metrics will provide you with accurate measurements about how your program is functioning and serve as the base for you to suggest improvements. To be effective, cybersecurity metrics should be:
- Measurements of objective data
- Data that documents the state of your environment
- Data that can be compared period by period
Your metrics should also have context so they mean something. That's why you’re tracking the program after all ... so you can make improvements! Looking at the number of refused connections at your firewall or total number of email messages denied at the gateway doesn’t really tell you anything or provide you with information that can help you improve anything.
Example: Reducing Spam Email Delivery
Let’s take a look at one threat vector, email. Phishing emails are a leading cause of successful cyberattacks. Your goal is to reduce endpoint infections, and you want to see if reducing the number of phishing emails received by end users helps achieve this.
Start out by measuring how many “bad” emails are getting through at each level of security using data from application log reports and spam reports from your users. Say in the first month you find:
- Gateway: 800,000 messages denied; 15,000 messages let through
- Application: 14,000 messages approved; 1,000 messages flagged
- Endpoint: 120 message flagged as malicious
- User Report: 25 message reported as spam
It’s important to track these same parameters month over month to set a baseline. Then you can start tuning different parts of the process to see if the numbers change over time. Say you spend 8 hours per month tuning, and the metrics show you’ve reduced infections by 50%. If you know how much a typical infection costs, you now have the data to measure whether it’s worth investing that time resource to achieve that reduction.
Remember when it comes to metrics, data is what you gather, say from your logs. Information is the transformation of that data into context. For example, does taking the time to tune the gateway change its effectiveness? If so, in what direction and by how much?
Defining Security Metrics
Make it easy.
Metrics are intended to make people’s lives easier, not burden them. Make it as easy as possible by:
- Using the reporting sources you already have
- Studying the data to understand how it fits together to create metrics
- Defining metrics that make sense for your organization
- NOT designing a system that takes more time and resources to maintain than the value it provides
Grow it over time.
Once you’ve developed a program, you can grow it over time as you understand the value of the metrics. Start with one technology function – say email – then work your way through all your protections. Other tips are:
- Develop new metrics that address pain points
- Focus your metrics on issues that help the business
- Stop using metrics that are not providing value
- When possible, assign a business cost to a metric value
Remember your audiences.
- The first audience is YOU. Having real data to understand how each element of your security program is doing allows you to be a better-informed professional.
- The second audience is management. Providing the information, not the data, on how the security program is performing gives them what they need to make decisions based on reliable information.
- The final audience is users. Users rely on safe and effective protections. Knowing how you are doing in that regard gives them confidence in your performance.
Examples of Security Metrics
Here are a few examples of security metrics you may want to consider for your cybersecurity program.
Systems
- How many systems are missing patches period over period?
- How many systems have expired applications and configurations?
- How many devices are discovered that are NOT in your inventory?
People
- How many people are clicking bad links every month?
- How many of those people are repeats every month?
Incidents
- How many incidents that are false positives are being reported every month?
- How many true incidents are you experiencing every month?
- How long does it take for each incident to be resolved, and what is the business impact?
There are all sorts of data available in your security program that you can use to create metrics that can help guide, inform, and improve your security program. We encourage you to choose what makes sense for your organization, and get started!