How Do You Measure Your Company’s Cybersecurity Effectiveness?

Many companies are finally taking cybersecurity seriously and have implemented programs to meet their organization’s specific needs. Having a program in place, however, is only the first step. Measuring the effectiveness of a cybersecurity plan is equally important. There are several steps a company should take to adequately measure the effectiveness of their plan.

How Does A Company Measure Security Efforts?

There have to be specific ways to measure security efforts in order to determine their effectiveness. Before beginning this process, it’s important to understand the difference between measurement and metrics. The United States National Institute for Standards and Technology (NIST) states that measurement is defined as observable and quantifiable. Metrics, however, are normally something that can be supported by measurement. Metrics are to be used to assist in decision making and to improve accountability and ultimately performance. Cybersecurity metrics should include accurate data that can be compared in different time periods. In particular, it must include specific and objective data. Cybersecurity effectiveness can generally be divided into three areas. These include systems, incidents, and people.

What Metrics Should a Company Choose?

Establishing a few key metrics to determine cybersecurity effectiveness is a good place to begin. An organization will need to start by tying in their business goals with how increased security can help meet those specific goals. This would include establishing a company’s threat profile and identifying scenarios that would potentially cause the greatest impact to an organization. The following are examples of various metrics that can be used.

• State Current Capabilities – An organization should be able to list their current security capabilities. What programs are in place? What exactly are they expected to do? How does the current program address each high-risk scenario that the organization may face?
• List Vulnerable Assets – To understand the risk an organization incurs, it’s necessary to know the number of all vulnerable assets. This will enable a company to create a vulnerability management plan that will likely include scans of all appropriate assets. This will indicate what specific action, such as managing patches and updates, should be taken to improve security.

After a few general metrics have been established, a company will want to put in place those that are more specific. The following are just a few examples of specific metrics that can be used to assess the effectiveness of a cybersecurity plan.

• Track Patching and Updates – Patch management is a critical aspect of addressing vulnerabilities in software. Companies will want to specifically track how many system patches have been put in place over a particular time period or how many updates have been installed. How often patching is completed can be compared to the number of incidents that occur within a particular time period.
• Response Time – Keeping track of response times for a variety of incidents is a relatively objective and efficient way to measure overall effectiveness. How many spam messages have been intercepted? How many attacks from worms, viruses, or ransomware have been identified during a specific time period and how much time lapsed been identification and resolution? How long did it take to remediate vulnerabilities that are found in software?
• Monitor Data Transference – Monitoring the volume of data that is being transferred will help an organization identify misuse. If employees are downloading videos, software, and applications that are unnecessary or potentially dangerous, this can open the door for malware.

How is the Company Comparing to Peer Performance?

Another way to gage cybersecurity performance is in relation to how other organizations in similar industries are doing. After deciding which metrics to use to determine security effectiveness, an organization will want to find out how successful other companies are in these areas. Comparing performance to other companies is also known as benchmarking.

How many security breaches have occurred when compared to other companies in the same industry of a similar size? How did they handle different types of incidents? What percentage of the budget is being spent on cybersecurity? These are just a few questions to ask when making valid comparisons. There are a variety of peer networking forums and online meetings that can be used when finding out how other organizations are doing when it comes to cybersecurity.

What Steps Can a Company Take to Address Gaps in Performance?

Finally, how an organization addresses gaps in performance will determine how effective their cybersecurity program will ultimately be. After metrics have been in place for a specified time period and then evaluated, the company will want to implement the following to strengthen weak areas.

• Educating Employees – Ongoing employee training is the first, and for most organizations the most important aspect of cybersecurity effectiveness. Organizations need to have clear company policies in place that specifically address weaknesses and gaps that have been discovered.
• Updating Systems – Whether it’s improving hardware security, automatically updating software, or creating a new firewall, a company’s systems must constantly be monitored and updated to improve cybersecurity effectiveness.
• Ongoing Testing – Is employee education effective? Has the number of times employees have responded to online scams or clicked on a dangerous link decreased? Part of testing will be to record and analyze recovery time whenever an incident occurs. Cybersecurity effectiveness can be calculated by how much time lapses between the detection of a threat and when appropriate action is taken. An organization needs to find an objective method of calculating recovery time.

After completing the previous steps, an organization will now have a better understanding of how effective their cybersecurity program is and how it aligns with their overall business goals. They should also have a plan in place for improvement and specific ways to track and monitor improvement. Finally, it’s important to remember that assessing cybersecurity effectiveness is an ongoing process. This means it’s necessary to continually update and tweak the metrics that are used so they align with the ongoing security needs of the organization.