The rise of artificial intelligence (AI), expanding regulatory and legal requirements, and the growing sophistication and speed of cyberattacks have put cybersecurity — and how it is measured — front and centre for CISOs, the wider C-suite, and the board.
Negative consequences that could impact businesses are now more profound than ever before. The loss of even one hour of resiliency could translate into massive financial setbacks, as well as negative impacts on customer satisfaction, consumer confidence, and trading partners. But how do you measure an organisation’s ongoing cyber health and whether it is resilient? Simply waiting for the annual compliance audit and hoping for the best is not an option.
The Two Types of KPIs You Need
Static KPIs will not provide the full picture in a fast moving industry like cybersecurity. For a complete view of cybersecurity health, organisations should classify KPIs into two categories:
- Progress KPIs illustrate progress in improving resilience and security posture effectiveness. For example, the number of tools used to protect your digital essentials, or the degree of automation. The objective of progress KPIs is to show advancements in cybersecurity posture transformation, ensuring your KPIs are developing towards or beyond regulatory or board requirements.
- Effectiveness KPIs, such as mean time to detect (MTTD) and mean time to remediate (MTTR), demonstrate how well your cybersecurity set-up is able to tackle attacks and protect the enterprise.
Combining these KPIs ensures continuous improvement and effort to drive ‘security by design’. In the face of constant change, it is also crucial to prioritise and measure resiliency.
Prioritising Resilience
If an organisation is resilient, it can manage a number of crises including overlapping and cascading attacks. Historically, resilience tended to be measured imprecisely or not using the right data, often with very high-level KPIs that gave directional information rather than true insights. This approach no longer works because the rapidly growing number of digital interactions translates into more entry points, more threat vectors, and more successful attacks.
Whilst MTTD and MTTR are still valuable measures of cybersecurity effectiveness, organisations looking to fully quantify their resilience will also need to look at the complexity of their tech stacks, the challenges associated with tools and services set-up, and how productive cybersecurity staff are.
An important step towards extending the capabilities of in-house teams is building and
leveraging a cybersecurity tech model that helps achieve KPIs such as resiliency, responsiveness, cost efficiency, and risk reduction. This ‘platform’ approach simplifies integration of disparate tools and services across a common architecture. It reduces the challenges of managing multiple vendors, tech stack complexity, tools sprawl, and redundant spending, while helping to drive faster response and improve insights into risks.
True resilience is impossible to achieve without strategic and tactical collaboration between cybersecurity teams, IT colleagues, and business stakeholders.
Helping You Build Effective Cybersecurity KPIs
The organisations that will thrive in the next decade are those with perfect visibility into their risks, real-time awareness of their posture, and agility that enables them to adapt faster than threats evolve.
To support senior cybersecurity and technology leaders establish the right cybersecurity KPIs, we have created a new Peer Insights guide, Measuring risk and resilience: How to define, deliver, and report on cybersecurity KPIs.
The guide captures key insights and recommendations from experienced and innovative
leaders on how they build and manage their cybersecurity KPIs. A key theme throughout the guide’s chapters is cybersecurity resilience — especially an organisation’s ability to demonstrate a more sophisticated, mature approach to resilience.
Download the guide here.
