Source: ConceptCafe via Alamy Stock Photo
With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up breach disclosure to investors, cyber reporting and metrics have become a an even bigger priority for companies this year.
Boards of directors are turning the screws to their security and risk executives to bring a lot more rigor to how they track key performance indicators (KPIs) and key risk indicators (KRIs)—and how they utilize these metrics to advise and report to the board. Fundamental to both KPIs and KRIs are security operational metrics that track the scope of assets, cybersecurity activities around those assets and measured security outcomes.
"Security teams use operational metrics to track and report on cybersecurity activities and outcomes," explains The Cyber Savvy Boardroom, a recent primer published by a pair of longtime cyber risk leaders to help directors and executive leaders wrap their arms around cyber issues. "When shared with the board of directors’ risk or audit committees, these key performance indicators illuminate the organization’s cybersecurity capabilities and the efficiency of cyber controls while also helping the board of directors evaluate the adequacy of investments in technology and talent."
Co-authored by Homaira Akbari, CEO of global advisory firm AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netscope, the book covers a lot of ground but some of the most vital parts of the primer focus on metrics. Dark Reading summarizes and excerpts from the tome here to present the most common metrics that Akbari and Naidoo believe to be crucial for CISOs to track and share with the board in order to report on risk levels and security performance.
The caveat, of course, is that security leaders need to be able to roll up these metrics into assessments and dashboards that are easy to digest. As they explain in their primer, the metrics detailed in each category create a data-backed model for determining the efficacy of an organization's program and identifying gaps in protection.
"The conclusions of these assessments should be summarized in several overall ratings and included in the company’s cybersecurity dashboard," they explain.
Data
These metrics should scope risk around data assets and track performance in key protection measures for data security, resilience and continuity. Some of the metrics Akbari and Naidoo advise CISOs to track in this category include:
% employee/customer/ user info on dark web
Depth of data-lake segmentation
Financial Assets
Financial asset risks and losses are included in this category—this grouping of metrics should give a measured feel for financial consequences from recent breaches. Some metrics the authors suggest tracking (based on past quarters or over the last year) include:
Value of actual money/crypto lost directly
Value of money or productivity losses in form of ransomware
Volume of financial data leaked (accounts, credit cards, loyalty points, online banking credentials)
While not specifically listed, data on financial losses from business email compromise and indirect breach response costs would also be valuable to track.
People
Whether it is falling prey to phishing or business email compromise (BEC) attacks, exposing data by not following policy, or exposing systems in other ways, people are usually an enterprise's biggest vulnerability. While it may be hard to measure the efficacy of security awareness training, there are some good proxies to get a general sense of how well an organization's people are adhering to security best practices and policies. The authors suggest the following metrics in this category:
% phishing email clickthrough
% suspicious email reported
privileged accounts to total accounts
% employees moving data/files out of the enterprise
Other metrics not directly mentioned but are still relevant include the results from phishing simulations, knowledge assessment scores and behavioral or account data about high-risk individuals.
Suppliers
With third-party risk management and digital supply chain security on the forefront of many executive's minds in the wake of events like SolarWinds, boards will want to be informed of supplier-related security operations risks and performance levels. Akbari and Naidoo believe CISOs would do well to keep the business attuned to trending data and metrics around:
Self-certification of cybersecurity posture of third parties
External scoring against peers and industry
Continuous monitoring of posture of third and fourth parties
External audit compliance
Penetration testing scores (from suppliers)
Data about suppliers will likely have a lot of overlap with metrics about enterprise applications (see below), as application security teams start to look at software supply chain risk, including risky dependencies from third-party code and components.
Infrastructure
Whether on-premises or in the cloud, IT infrastructure exposures and security capabilities in mitigating risks across the network and hardware assets should be appropriately monitored and measured. Some operational data that the authors suggest in this category include metrics around:
Number of servers/hardware approaching end of life
Secure configurations of all assets
Depth of network/ infrastructure segmentation
Level of automation of inventory and control of hardware assets
Depth of Zero Trust architecture deployment: identity, device, access, services
User-Controlled Devices
CISOs should be able to give board members a feel for the level of control their organization has over shadow IT and other user-controlled devices operating on the network. Akbari and Naidoo say the following common metrics should be on the radar:
Number of unidentified devices on the network
Number of devices with unpatched software
Number of threats detected and prevented by the endpoint solution
New Technologies: IoT
The scope and scale of internet of things (IoT) devices has opened up significant risk to enterprises over the course of the past decade. The authors suggest that CISOs provide some risk metrics around these, including:
Number of IoT devices non-upgradable or patchable
Number of IoT ports connecting to enterprise networks
Depth of loT segmentation from enterprise resources
While the focus is currently on IoT, the same approach could work for all emerging technology. AI for example, could include metrics around AI usage and—with some emerging AI security tooling—risk exposure levels from AI usage in the organization.
Enterprise Applications
Whether it is from commercial software or applications developed in-house, applications present some of the biggest attack surfaces in the enterprise today. Akbari and Naidoo offered a couple common metrics boards should be apprised of:
Known open software vulnerabilities
Software patches outstanding
Number of zero-day software vulnerabilities
There is no shortage of additional application security data and metrics that can help track performance and risk levels across application portfolios. Consider including data such as rate of automated versus manual code review, time to fix critical vulnerabilities, open rate of critical vulnerabilities and metrics that add context about exploitability or business value of assets with known critical flaws.
Testing Security Posture
Security validation and testing is an important part of a security program and so CISOs should be beholden to track not only the results from security tests, but also the rate at which they conduct testing. Some metrics that fall into this category, according to Akbari and Naidoo:
Penetration(red, blue) testing
Independent external security ratings versus peers and the industry
Internal/external auditor report on regulatory and cyber compliance
Application and other testing scores and discoveries
Incident Detection and Response
Boards of directors will be very interested in a security team's capability to detect and respond to incidents. Akbari and Naidoo recommend some of the following common ops metrics to track this:
• Volumes and % of actual incidents versus intrusion attempts
• Mean time to detect
• Mean time to contain
• Mean time to remediate/resolve
• Red team scores and discoveries
Additionally, CISOs may benefit from offering metrics and results from tabletop exercises and attack simulations if these are activities they engage in.