Cyber Security KPIs
Cyber Security KPIs – Which Ones Are Right For Your Organisation?
Measuring the performance of a cyber security strategy is essential for improving its efficiency and resilience. But when it comes to identifying the key performance indicators (KPIs) that will push a plan of actions onwards and upwards, many IT security professionals are limping behind.
Identifying what KPIs work best for your cyber security strategy is much like performing a risk assessment – critical risks must be identified before solutions can be outlined. Drafting a solution to then find a risk it can address is inefficient. Similarly, planning KPIs then trying to find what should be measured and improved is ineffective. So the most productive way to start is by performing a detailed assessment of your current security operations program. Which of its goals and functions are the most critical to your organisation?
Well-thought KPIs will look different in every organisation. They make problems and anomalies stand out in an actionable and solutions-oriented manner and can therefore help transform meaningful but copious amount of security data into quicker-to-digest information for senior management. When drafting your own KPIs, prioritise quality over quantity. Tracking too many KPIs can become a burden to both the analyst and the decision makers having to deal with an overload of data and information.
Metrics change over time and according to circumstance, so assessing your KPIs’ value for your organisation is an ongoing process. When determining which KPIs should stay on your list, check whether they still tick the boxes of the SMART criteria:
• Are they Simple to measure and have a clear purpose on how it impacts the security program?
• Are they Measurable in some way, quantitatively or qualitatively, with a method for measurement clearly defined and kept consistent?
• Are they Actionable and used as a driver for decisions to be made?
• Are they still Relevant to the security program?
• And are they Time based, so that variations and patterns are revealed over time?
Additionally, most KPIs come with some level of cost – be it time spent calculating and assessing it, or money spent changing a process to enable its measurement. So a cost/benefit analysis should also be performed when determining if a given KPI is appropriate for your security operations.
Cyber Security KPI Examples
KPIs should reflect each organisation’s priorities, goals and objectives, but some examples of cyber security KPIs that are applicable to most organisations can inspire ideas when you draft your own, such as:
1. Number of devices being monitored – Is this number increasing or decreasing? Why? Assess the security operation’s workload and adjust if necessary.
2. Total number of events – Is this increasing or decreasing? Why? Assess the cost to value of the incidents detection, response and recovery processes, and look for patterns to identify key risks.
3. Number of events per device or host – Are there any devices or hosts which are more prone to security issues than others, causing increased risk? Why? Assess detection success rates and key risks per device or host.
4. Time to detection – How long is it taking your organisation to detect a security event? Are there ways to reduce this time? How? Assess the detection success rates and your processes.
5. Time to resolution – How long is your organisation taking to resolve an actual security event? Are there processes or technologies that can help you reduce this time? What are they? Assess your mitigation success and processes.
If you’re looking to boost your cyber security program but struggling to justify the expenses this requires, use your KPIs as evidence of the program’s value to get senior decision-makers and team members on board.
At NordiX, the Nordic region’s Cyber Security Summit, Georg Kaltenbrunner, Head of Group Operational Risk at Nordea, hosts an interactive session on Security KPIs – Which are the most important & how to measure them for different audiences in a corporation? Request a brochure to learn more: www.cyberseries.io/nordix