Yael Citro
Why do you establish cyber security KPIs?
Creating, following, and monitoring cyber security KPIs is a way for IT departments to help meet company goals while demonstrating a duty of care to regulators, board members, leadership, shareholders, and the general public. Good cyber security practices and demonstrating a duty of care can set you apart in a competitive market, helping you achieve such goals as client retention and increasing revenue by saving on incident costs.
IT research and consultancy firm Gartner thinks that “80% of fines imposed by regulators after a cybersecurity breach will be attributable to failures to prove the duty of due care was met” within the next three years. If this prediction is correct, cyber security KPIs are going to be more important than ever.
Breaking down critical cyber security KPIs
Cyber security is more ethereal than website visits or support tickets. Sometimes it isn’t obvious there’s an issue until there’s been a breach. Then there is the software supply chain to consider. It doesn’t take long for the idea of cyber security KPIs to sound overwhelming.
The following is a list of 18 Security KPIs every security team should be tracking.
1. Non-human traffic (NHT)
Why measure it? An increase in normal website traffic or a sudden spike in traffic unrelated to a promotion, press release, or other business-related reason may signal a potential bot attack.
2. Unidentified devices on the internal network
The number of “unnamed” devices connected to your network. While they could be employee devices, they could also be bad actors. Ideally, you want 0 unidentified devices.
3. Intrusion attempts
The number of times malicious actors have tried to gain access to your networks.
4. Mean Time Between Failures (MTBF)
Determines the reliability of your systems during normal business operations. The greater the time between failures, the more reliable the systems.
5. Mean Time to Detect (MTTD)
Determines the length of time it takes to discover potential security threats. Less than five hours is generally considered a good MTTD.
6. Mean Time to Acknowledge (MTTA)
Determines how long it takes you to start working on an issue once it has been identified.
7. Mean Time to Contain (MTTC)
Measures how long it takes you to contain threats.
8. Mean Time to Resolve (MTTR)
Measures how long it takes your company to return to normal business operations from a threat, product, or system failure. Under five hours is considered good.
9. Mean Time to Recovery (MTTR)
Tracks compliance controls, configurations, and exceptions, as well as Service Level Agreements (SLA).
10. Security Policy Compliance
The number of “unnamed” devices connected to your network. While they could be employee devices, they could also be bad actors. Ideally, you want 0 unidentified devices.
11. Days to patch
Length of time it takes you to patch security holes
12. Cybersecurity awareness training
Tracks such things as how often cyber security training materials are updated, if new hires receive cyber security training, how often existing employees receive training, and employee knowledge retention.
13. Number of cyber security incidents reported
Tracks how often, or if, employees and users are reporting issues. For example, how many employees forward phishing emails to IT? How often are such emails forwarded to IT?
14. Security ratings or Security score
Generally used by underwriters to understand a company’s cyber security risk. It is also a way to see how your company ranks relative to others in your industry, and how your suppliers and vendors compare.
15. Access management
Used to keep tabs on the number of people who have administrative rights to networks and applications. Does everyone on the list require administrative access?
16. Phishing attack success
Tracks how many phishing emails employees open. You can separate it into spoof phishing emails your department sends as tests vs ones most likely from malicious actors.
17. Virus infection monitoring
Tracks how often your antivirus software scans applications for malware.
18. Cost per incident
Measures the amount of money spent to respond and resolve an attack, including things like employee overtime, investigative costs, fines, and ransomware payments. May also include lost productivity and potentially lost sales due to downtime from an attack.
Knowing your security risks and vulnerabilities is the bedrock for building a mature and effective software supply chain security program. Measuring your mean times, days to patch, various types of network traffic, intrusions, and paying attention to security ratings, compliance, application, and network access provides a baseline of expectations and what normal for your company looks like.
