The process of cybersecurity performance management helps an organization understand how well it is meeting its cybersecurity objectives. Because conventional performance management metrics (such as cost or revenue) may have less relevance in a security context, it’s important to have an evaluation methodology that is tailored to the specific needs of security. This framework also helps organizations understand the level of investment (in terms of financial or human capital) needed to create a strong security posture that helps achieve the objectives of the organization.
Cybersecurity is notorious for its complexity and continuously changing nature. In addition to making protecting key assets a challenge, these attributes also make it difficult to accurately gauge how well an organization’s security efforts are performing.
Cybersecurity performance management attempts to solve this problem by introducing a framework by which a cybersecurity program can be accurately evaluated. When done correctly, cyber performance management will help you understand where you are weak, where you are strong, and which steps you can take to shore up the areas where your program is lacking by creating cybersecurity performance goals.
Key Performance Indicators
Typically, a program will be assessed using Key Performance Indicators such as the following:
- How long it takes to detect security incidents
- The time to response after incidents are detected
- The number of incidents
- How many incidents are missed initially only to be discovered later
- Level of preparedness
- Threat awareness
- Security training results
Placing these metrics in context is also critically important. For example, an organization may successfully detect and thwart thousands of attacks every day, which may give an impression of a highly effective security program. However, a deeper look may reveal that these attacks are unsophisticated, simple to deter and do not pose any risk to critical assets. While this may give a program a superficial appearance of success, far more dangerous risks may be bubbling below the surface, undetected.
Security Performance Management Methods
Organizations sometimes evaluate their cybersecurity performance on an annual, or semi-annual, basis using a third-party vendor or an internal team. One of the drawbacks of this form of cyber performance management is its episodic, point in time nature. Given how rapidly things change, it’s very easy for problems to arise during the long periods in between testing.
Manual evaluations can also make it difficult to assess performance over time, as team members must extrapolate from dated third-party assessments or static results to measure progress. Given how badly many security teams are overburdened with their day-to-day responsibilities, it often becomes difficult to maintain an accurate long-term assessment of performance.
Software that offers continuous, automatic reporting (such as attack path management platforms) help solve this problem by offering a more complete picture of the effectiveness of a security program at any point in time. These software programs can detect issues, generate remediation guidance and provide ongoing visibility into how cybersecurity performance evolves over time.
By using these automated tools, it also becomes possible to relieve the burden on security teams, and provide detailed reports for the board that help provide timely and easy to digest narratives about the performance of a security program over time.