Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Boards of directors don't care about a security program's minute technical details. They want to see how key performance indicators are tracked and used.

6 Min Read
A screen displaying many different types of charts and graphs to show what data is being analyzed.
Source: ConceptCafe via Alamy Stock Photo

With the US Securities and Exchange Commission requiring CISOs and boards of directors to increase the level of transparency around their organizations' cybersecurity capabilities and to speed up breach disclosure to investors, cyber reporting and metrics have become an even bigger priority for companies this year.

Boards are turning the screws to their security and risk executives to bring a lot more rigor to how they track key performance indicators (KPIs) and key risk indicators (KRIs) — and how they use these metrics to advise and report to the board. Fundamental to both KPIs and KRIs are security operational metrics that track the scope of assets, cybersecurity activities around those assets, and measured security outcomes.

"Security teams use operational metrics to track and report on cybersecurity activities and outcomes," explains The Cyber Savvy Boardroom, a recent primer published by a pair of longtime cyber-risk leaders to help directors and executive leaders wrap their arms around cyber issues. "When shared with the board of directors’ risk or audit committees, these key performance indicators illuminate the organization’s cybersecurity capabilities and the efficiency of cyber controls while also helping the board of directors evaluate the adequacy of investments in technology and talent."

Co-authored by Homaira Akbari, CEO of global advisory firm AKnowledge Partners, and Shamla Naidoo, head of cloud strategy for Netskope, the book covers a lot of ground, but some of the most vital parts of the primer focus on metrics. Dark Reading summarizes and excerpts from the tome here to present the most common metrics that Akbari and Naidoo believe to be crucial for CISOs to track and share with the board in order to report on risk levels and security performance.

The caveat, of course, is that security leaders need to be able to roll up these metrics into assessments and dashboards that are easy to digest. As explained in the primer, the metrics detailed in each category create a data-backed model for determining the efficacy of an organization's program and identifying gaps in protection.

"The conclusions of these assessments should be summarized in several overall ratings and included in the company’s cybersecurity dashboard," Akbari and Naidoo explain.

Data

These metrics should scope risk around data assets and track performance in key protection measures for data security, resilience, and continuity. Some of the metrics Akbari and Naidoo advise CISOs to track in this category include:

  • % data centralized

  • % data encrypted

  • Backup frequency

  • Speed of data recovery

  • % employee/customer/user info on Dark Web

  • Depth of data-lake segmentation

Financial Assets

Financial asset risks and losses are included in this grouping of metrics, which should give a measured feel for financial consequences from recent breaches. Some metrics the authors suggest tracking (based on past quarters or over the past year) include:

  • Value of actual money/crypto lost directly

  • Value of money or productivity losses in form of ransomware

  • Volume of financial data leaked (accounts, credit cards, loyalty points, online banking credentials)

While not specifically listed, data on financial losses from business email compromise (BEC) and indirect breach response costs would also be valuable to track.

People

Whether it is falling prey to phishing or BEC attacks — exposing data by not following policy or exposing systems in other ways — people are usually an enterprise's biggest vulnerability. While it may be hard to measure the efficacy of security awareness training, there are some good proxies to get a general sense of how well an organization's people are adhering to security best practices and policies. The authors suggest the following metrics in this category:

  • % phishing email click-through

  • % suspicious email reported

  • Passwords hacked

  • Privileged accounts to total accounts

  • % employees moving data/files out of the enterprise

Other metrics not directly mentioned but are still relevant include the results from phishing simulations, knowledge assessment scores, and behavioral or account data about high-risk individuals.

Suppliers

With third-party risk management and the digital supply chain security on the forefront of many executives' minds in the wake of events like SolarWinds, boards will want to be informed of supplier-related security operations risks and performance levels. Akbari and Naidoo believe CISOs would do well to keep the business attuned to trending data and metrics around:

  • Self-certification of cybersecurity posture of third parties

  • External scoring against peers and industry

  • Continuous monitoring of posture of third and fourth parties

  • External audit compliance

  • Penetration testing scores (from suppliers)

Data about suppliers will likely have a lot of overlap with metrics about enterprise applications (see below), as application security teams start to look at software supply chain risk, including risky dependencies from third-party code and components.

Infrastructure

Whether on-premises or in the cloud, IT infrastructure exposures and security capabilities in mitigating risks across the network and hardware assets should be appropriately monitored and measured. Some operational data that the authors suggest in this category include metrics around:

  • Number of servers/hardware approaching end of life

  • Secure configurations of all assets

  • Depth of network/ infrastructure segmentation

  • Level of automation of inventory and control of hardware assets

  • Vulnerability scanning

  • Depth of zero-trust architecture deployment: identity, device, access, services

User-Controlled Devices

CISOs should be able to give board members a feel for the level of control their organizations have over shadow IT and other user-controlled devices operating on the network. Akbari and Naidoo say the following common metrics should be on the radar:

  • Number of unidentified devices on the network

  • Number of devices with unpatched software

  • Rate of false positives

  • Number of threats detected and prevented by the endpoint solution

New Technologies: IoT

The scope and scale of Internet of Things (IoT) devices has opened up significant risk to enterprises over the course of the past decade. The authors suggest that CISOs provide some risk metrics around these, including:

  • Number of non-upgradable or patchable IoT devices

  • Number of IoT ports connecting to enterprise networks

  • Depth of loT segmentation from enterprise resources

While the focus is currently on IoT, the same approach could work for all emerging technology. AI, for example, could include metrics around AI use and — with some emerging AI security tooling — risk exposure levels from AI use in the organization.

Enterprise Applications

Whether it is from commercial software or applications developed in-house, applications present some of the biggest attack surfaces in the enterprise today. Akbari and Naidoo offer a couple of common metrics boards should be apprised of:

  • Known open software vulnerabilities

  • Software patches outstanding

  • Number of zero-day software vulnerabilities

There is no shortage of additional application security data and metrics that can help track performance and risk levels across application portfolios. Consider including data such as rate of automated versus manual code review, time to fix critical vulnerabilities, open rate of critical vulnerabilities, and metrics that add context about exploitability or business value of assets with known critical flaws.

Testing Security Posture

Security validation and testing is an important part of a security program, so CISOs should be beholden to track not only the results from security tests, but also the rate at which they conduct testing. Some metrics that fall into this category, according to Akbari and Naidoo, are:

  • Penetration(red, blue) testing

  • Independent external security ratings versus peers and the industry

  • Internal/external auditor report on regulatory and cyber compliance

  • Application and other testing scores and discoveries

Incident Detection and Response

Boards of directors will be very interested in a security team's ability to detect and respond to incidents. Akbari and Naidoo recommend some of the following common ops metrics to track this:

• Volumes and % of actual incidents versus intrusion attempts

• Mean time to detect

• Mean time to contain

• Mean time to remediate/resolve

• Red team scores and discoveries

Additionally, CISOs may benefit from offering metrics and results from tabletop exercises and attack simulations if these are activities they engage in.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights