Cybersecurity spending continues to rise, but cybercrime doesn’t seem to be slowing down. While there’s no shortage of new technologies to invest in, the reality is that there’s no silver bullet solution to protect your organization from an attack. A layered approach, one that involves people, process, and technology, is required. But how do you know which solutions work best for your organization? The answer is metrics!
Metrics are used to track success throughout many facets of business, and cybersecurity is no different. When you have an understanding of what is effective and what isn’t effective, you can make better business choices around what you invest in.
What are Cybersecurity Metrics?
Being well-informed about your cybersecurity program is essential for success. Developing and utilizing effective metrics will provide you with accurate measurements about how your program is functioning and serve as the base for you to suggest improvements. To be effective, cybersecurity metrics should be:
- Measurements of objective data.
- Data that documents the state of your environment.
- Data that can be compared period by period.
Your metrics should also have context so they mean something. That's why you’re tracking a system afterall... so you can make improvements! Looking at the number of refused connections at your Firewall or total number of email messages denied at the gateway, doesn’t really tell you anything or provide you with information that can help you improve anything.
Example: Reducing Spam Email Delivery
Let’s take a look at one threat vector, email. Phishing emails are a leading cause of successful cyberattacks. Your goal is to reduce endpoint infections, and you want to see if reducing the number of phishing emails received by end users helps achieve this.
Start out by measuring how many “bad” emails are getting through at each level of security using data from application log reports and spam reports from your users. In the first month you find:
- Gateway: 800,000 messages denied; 15,000 messages let through.
- Application: 14,000 messages approved; 1,000 messages flagged.
- Endpoint: 120 message flagged as malicious.
- User Report: 25 message reported as spam.
It’s important to track these same parameters month over month to set a baseline. Then you can start tuning different parts of the process to see if the numbers change over time. Say you spend 8 hours per month tuning, and the metrics show that you’ve reduced infections by 50%. If you know how much a typical infection costs your business, you now have the data to measure whether it’s worth investing that time resource to achieve that reduction.
Remember when it comes to metrics, data is what you gather, say from your logs. Information is the transformation of that data into context. For example, does taking the time to tune the gateway change its effectiveness? If so, in what direction and by how much?
Defining Security Metrics
Make it easy.
Metrics are intended to make people’s lives easier, not burden them. Make it as easy as possible by:
- Using the reporting sources you already have.
- Studying the data to understand how it fits together to create metrics.
- Defining metrics that make business sense.
- NOT designing a system that takes more time and resources to maintain than the value it provides.
Grow it over time.
Once you’ve developed a program, you can grow it over time as you understand the value of the metrics. Start with one technology function – say email – then work your way through all your protections. Other tips are:
- Develop new metrics that address pain points.
- Focus your metrics on issues that help the business.
- Stop using metrics that are not providing value.
- When possible assign a business cost to a metric value.
Remember your audiences.
- The first audience is YOU. Having real data to understand how each element of your security program is doing allows you to be a better informed professional.
- The second audience is Management. Providing the information, not the data, on how the security program is performing gives them what they need to make business decisions based on reliable information.
- The final audience is Users. Users rely on safe and effective protections. Knowing how you are doing in that regard gives them confidence in your performance.
Examples of Security Metrics
Here are a few examples of security metrics that you may want to consider for your cybersecurity program.
- How many systems are missing patches period over period?
- How many systems have expired applications and configurations?
- How many devices are discovered that are NOT in your inventory?
- How many people are clicking bad links every month?
- How many of those people are repeats every month?
- How many false incidents are being reported every month?
- How many positive incidents every month?
- How long does it take for each incident to be resolved and what is the business impact?
There are all sorts of data available in your security program that you can use to create metrics that can help guide, inform, and improve your security program. We encourage you to choose what makes sense for your business, and get started!
Build a Foundation for Cyber Resilience. An Information Security Policy provides the foundation for a successful Program, so your organization can protect your information, adapt to changing threat conditions, and rapidly recover from disruptions. Sage can help with the development of your policy – or even assess your current one.