As we head into 2020 and beyond, cybersecurity will continue to take a larger and larger chunk of enterprise budgets—which means your security programs will come under more scrutiny than ever. The pressure to make smart, informed decisions about your security posture will only increase.
Selecting the right security-related key performance indicators (KPIs) is foundational to successful security governance, and it is key for maintaining regulatory compliance, building trust with customers, and enabling your business to prosper as cyber attackers grow more aggressive and sophisticated.
Security Governance and Incentives: Which Security KPIs Should My Business Measure?
When it comes to security KPIs, there’s no one-size-fits-all approach. Businesses may track different metrics for different reasons. Some metrics are specifically oriented toward regulatory compliance, and must be tracked to assure that the business can pass a third-party audit. Other security metrics are more directly related to business outcomes like reducing costs or assuring business continuity.
Every metric creates an incentive for the security team to act a certain way, and it’s important to understand the incentives created by your selected metrics and KPIs. It is also important to select metrics the security team can actually influence through good security practices. Tracking too many KPIs is a common pitfall. This can lead to information overload and people will simply stop monitoring the metrics. Tracking the wrong KPIs for your situation can incentivize the team to behave in ways that optimize for the KPI while having a neutral or negative effect on the business’s actual security posture.
To help guide your efforts, here are some common security-related KPIs.
The Number and Type of Reported Incidents
Understanding the volume of security incidents can help organizations determine whether information security is a major problem. Large numbers of incidents or an upward trend in incidents over time suggest that more resources need to be devoted to counteracting security weaknesses. Decreasing numbers of incidents could demonstrate the effectiveness of security initiatives.
However, decreasing numbers of incidents could also indicate that the operating definition of “incident” needs to be updated, or that security practices are focused on attack tactics, techniques, and procedures no longer in use by rapidly evolving adversaries. Tracking the type of incident (was it common ransomware, or an attempt to steal your customer database?) is useful for deciding where to invest security funds.
The Amount of Time to Detect An Incident
The mean time-to-detect (MTTD) quantifies the average time between when a security incident first occurs and when a security team identifies that this problem exists. As of 2018, the average dwell time before threats were detected was almost three months. If a bad actor has months to explore your environment and determine the best path to their ultimate target, their odds of inflicting serious damage go up.
A related metric to track would be number of detections (or alerts). A detection doesn’t qualify as an incident until it has been validated and other evidence of an incident has been gathered. Many detection-focused tools spew high volumes of false-positive alerts that create extra work for security analysts, making it harder to identify and focus on true incidents. The ratio of detections to validated threats and incidents can be useful in determining the efficacy of a security detection tool.
The Amount of Time to Resolve An Incident
The mean time-to-respond (MTTR) measures the average time between when a security incident is detected and when the problem is remediated. As with MTTD, lower MTTR metrics are desirable: the sooner security problems are addressed, the better.
The Cost Per Incident
The cost of security incidents can be measured in terms of productivity loss, as well as the cost of the security resources required to address the incident. This KPI is often useful for justifying investments in security technology or additional human resources for the security team. For example, detection and response tools that augment human resources with machine learning and automated workflows can increase productivity by upwards of fifty percent.
Measuring cost per incident also enables you to estimate the ROI of given security tools. If you catch an incident early thanks to a specific tool, you’ve got evidence to support reinvesting in that tool when the contract is up.
Employee Satisfaction and Turnover
Employee satisfaction and turnover may seem more like human resources KPIs than security ones, but the impact on security is real and measurable. Staffing challenges will continue to be top-of-mind for security leadership in 2020. The common experience of having security analysts burn out and change jobs after a short period of time means that security organizations spend a great deal of time and money training new people and re-building institutional knowledge.
Number of Tools Required To Detect, Validate, and Respond To An Incident
The more tools your security analysts must use to gather all the data they need to validate an incident, the more friction and context switching they experience. This can lead directly to employee dissatisfaction, burnout, and turnover as discussed in the previous section. Consolidating and rationalizing tools is an incredibly powerful way for businesses to reduce security costs while increasing success in other KPIs.
The Value of Security Metrics
Most management teams are looking for quantitative information about the effectiveness of their security operations. With proper baselines in place and evaluation on a regular basis, implementing a security metrics program can shed light on what has been effective and where additional investments may be needed, and guide ongoing efforts.