It can sometimes feel like a new cybersecurity KPI is invented every week.
There are some good reasons for this. Cybersecurity teams are constantly having to justify the cost of their department against other business expenditures, and one of the best ways of doing this is to present management with ‘hard’ data about cyber risk.
The problem is that during this process KPIs can get somewhat detached from their original purpose: to monitor and improve cybersecurity performance. That means that all KPIs should have an intended purpose that can be quantified. Even if the underlying achievement isn’t specific, the metrics that measure the initiative should be.
Further, reporting a KPI is only half the battle. Following the identification of an issue, it is the responsibility of management to observe the results, translate what the calculation means, and deliver action to make changes.
All this means that a “KPI” such as “Employee Perception of Risk”, or any number of other soft measures, are not meaningful KPIs at all.
So today we’re going to break it down, and talk about the 7 cybersecurity KPIs that should be at the heart of your security protocols. These are, in my view, the basic factors that your cybersecurity KPIs should cover.
1. Increase (or Decrease) in Reported Incidents
At the core of your cybersecurity KPIs should be a measure of the threat environment you face, and whether the number of incidents reported is going up or down. Though it is probably going up.
This is the most basic cybersecurity KPI there is, because tracking the number of incidents is the ultimate measure of whether the rest of your security protocols are effective. It will also help you to justify spending on cybersecurity within your organization.
2. Number of Security Incidents
This KPI is the complement to the one above, and measures the raw number of security incidents over a given period. At a basic level, this KPI will output just a single number. However, when collecting data on the number of security incidents you face, there are a couple of things to keep in mind.
One is that you will need to pay attention to all parts of your systems. Given the current threats faced by businesses, there is a tendency to focus on phishing and MITM attacks at the expense of some other basic systems. One is the security of your public-facing web portals. Another is cloud security. These systems typically face a large number of small threats, rather than infrequent large vulnerabilities, and so it is easy to forget about them.
This leads to the second important factor in tracking the number of security incidents you face: don’t get distracted by the largest, most recent threat. It also pays to sweat the small stuff, since a high number of small hacks can easily outweigh the impact of one large data breach.
3. Cost Per Incident
The next most important KPI is the cost of each incident. This can be a tricky KPI to measure, because it should include all of the resources – both human and technical – that were required to hunt down threats and address each incident, as well as an estimate of the lost revenue caused by them.
If measured correctly, though, this KPI is perhaps the most effective when it comes to justifying the cost of extra cybersecurity measures. If you can show, for instance, that the time spent in vulnerability scanning far outweighs the cost of addressing vulnerabilities after they are exploited, you can make a watertight business case for increased vulnerability vigilance.
4. Time to Resolve
Mean Time To Identify (MTTI) and Mean Time To Contain (MTTC) are also KPIs that have been around since the birth of cybersecurity. Unfortunately, however, recent data suggests that both are still worryingly slow. The MTTC for US companies in 2017, for instance, was 208 days, and the MTTI 52 days.
The underlying reasons for slow responses to incidents may be complex, involving scarce resources at either a human or technical level, or poor management structures. However, this is another KPI that can help to identify lapses in security management, and help to justify the cost of deploying extra resources such as AI cybersecurity tools that can automatically identify incidents.
Uptime is another KPI that appears to present a pretty basic number, but that actually tells you a lot about how well your cybersecurity is working.
In addition, Uptime is a measure that is implied in many of the other KPIs on this list. If your website goes down as the result of a security incident, this can seriously increase not just the cost of the incident but also its impact on your customers.
An analysis of the reasons behind downtime can also highlight areas of concern. Downtime can be an indication that you need to step up your web security to guard against hacks. It may also be that poor uptime is the fault of your web host, and this should also be cause for concern. Gary Stevens of community-funded IT research group HostingCanada.org studied the uptimes of leading web hosting providers and found a remarkable difference of 99.993% on the upper end to 97.643% on the lower.
Stevens also offered his opinion that no business should stay with a host that can’t hit at least 99% uptime, and that web hosts with poor uptime are generally those with poor security protocols.
6. Regulatory Requirements
Beyond the ‘technical’ KPIs we’ve covered above, there are also a number of ‘softer’ measures that are useful. One of these is how compliant your current systems are against industry standards.
This KPI is typically measured on a much slower timescale than those above, because improving this measure often involves long-term work in improving the security of systems. That doesn’t mean, though, that it should be ignored. Equally, it need not be hard to measure: there are plenty of tools, such as those offered by Acunetix, that will automatically automatically generate technical and regulatory reports that will feed directly into this KPI.
7. Customer Impact
Last but definitely not least, it is worth measuring the customer impact of security incidents via a KPI.
This can be a difficult thing to do, because this impact can come in many forms and across many channels. For that reason, is often worth designing this KPI in consultation with management and customer-facing staff, in order to trace the impact of data breaches and other incidents.
If done correctly, though, this KPI is the ultimate measure of your cyber security.
Adapt and Learn
The way in which you measure these KPIs will depend on the precise nature of your business, and the complexity of the systems you employ. In addition, follow what is applicable to your business, and be prepared to change the goal based on what is going on in the company.
That said, if your existing KPIs do not cover at least these aspects of cyber security, then you need to re-think them. Designing your own, complex KPIs for cyber security can be extremely useful, but you need to make sure you are doing the basics first.
Gary Stevens is a front end developer. He’s a full time blockchain geek and a volunteer working for the Ethereum foundation as well as an active Github contributor.