Despite the various economic crises, organizations are pumping more money into cybersecurity than ever before. Gartner predicts that total global end-user spending on security and risk management will hit $172.5bn this year and top $267.3bn by 2026.
However, this capital is not necessarily being spent effectively. There is a tendency for enterprises to continuously add the latest solutions to their existing security stack without stopping to measure the impact on their security effectiveness. This feeds into a cycle of ‘rip and replace,’ where firms eventually decide their cybersecurity stack isn’t working and tear it up to start again.
While this is sometimes justified, enterprises are often unaware of how well their solutions work because they have not correctly operationalized their security to track and measure performance.
Organizations must implement key performance indicators (KPIs) to measure success effectively and drive security decisions.
What Are KPIs, and Why Do They Matter?
KPIs provide a way of tracking activity against a predefined target. Crucially, KPIs are not simply metrics; they must be defined by a goal value that focuses towards specific outcomes.
KPIs provide clear insights into the effectiveness of the security stack against the organization’s business objectives. Having clearly-defined targets and measurable outcomes helps to translate the complexity of cybersecurity into a more accessible format for non-technical stakeholders.
Yet we find that only a small percentage of organizations use security KPIs properly.
Why Better KPIs Need to be Set for Cybersecurity
While KPIs are fundamental in many other sectors, such as business architecture and service desks, the security industry does not yet naturally align with them. This might be because cybersecurity is still a relatively new field and is seen as too technical for business leaders to get to grips with.
However, KPIs are critical in helping decision-makers understand cyber. Achieving effective security is impossible without applying standard business practices to measure performance and outcomes.
Security solutions are incredibly rich in information, usually offering a limitless stream of data points about performance and activity. But without KPIs, this data can appear detached and inconsequential. A strong set of KPIs helps to frame this information in a business context, ensuring security targets align with the wider organization’s needs and goals.
Without this context, firms are more likely to make arbitrary decisions about their security stack. The cycle of rip and replace wastes capital and resources and can leave enterprises more vulnerable to threats as security personnel get to grips with new solutions and processes.
What Are the Best Cybersecurity Metrics?
Knowing what to measure will significantly impact a business’s ability to make informed decisions about its cyber investments. The right metrics depend on the specific security solution and the organization’s security maturity and business objectives. There are six key areas to cover:
- Culture – Measuring how everyone in the organization thinks about security. This emphasizes awareness and behavior and is critical to building a resilient workforce.
- Measurement – Tracking fundamental security capabilities in identifying, protecting, detecting, responding and recovering from cyber threats. Measurement should be focused on the most significant risks to the business.
- Accountability – Focused on the traceable actions of individuals and groups responsible for crucial security activity such as fault isolation, prevention, recovery and legal action.
- Process – The critical processes needed to support operationalizing security.
- Resources – The knowledge and ownership needed to manage, maintain and operate the organization’s security processes and technologies.
- Automation – The automation of security tasks, including incident detection and response and administrative duties.
Culture and measurement are the most important KPIs in the first instance. Getting these right will help ensure that security is taken seriously at different levels of the organization and that processes are in place to track performance. They should be the priority for businesses in the initial stage of their security maturity journey, and firms should only move on to other areas when they have these foundations set.
Translating KPIs into Successful Business Outcomes
Finding the right metrics is only the first step of effective KPIs. They must be set against goals aligned with specific business objectives and be in sync with operational priorities. Ideally, KPIs should be applied to every employee in some capacity and it must be clear which departments are involved and which leaders have ownership and responsibility.
For example, a KPI on phishing would target reducing rates and improving awareness over time. It would apply to the entire organization but ultimately be the responsibility of the heads of security and HR.
Implementing effective KPIs will enable firms to properly operationalize their security stack, ensuring they are always equipped to make an informed decision before investing in new and/or additional solutions. Armed with this knowledge, they have the best shot at maximizing their ROI and security capabilities.