“A useful metric is both accurate and aligned with your goals”
Nowadays, we live in a world in which a large amount of data and information is received every day. These data and information are surprisingly big and noisy for those who work in IT and cybersecurity fields.
For instance, we can point out “logs” or “event ID” in networks. A FireWall can generate 500 pages of logs per day, and this is only one platform of many others in our network. Now think about how much logs the combination of Firewall, SIEM, IDS, HIDS, and so many more applications and operating systems can produce. The information is too much to grasp.
Therefore, as CISOs, we need to categorize all this overloaded information and data and measure the metric. Security metrics confirm the efficiency of security operations; they also control and provide functional detail on where organizational improvements are needed. Just like logs, event IDs, and other data points, not all security metrics are equal in creation. It is necessary to be aware of your cybersecurity program to be successful. An effective matric will implement you with accurate measurements on how your program is functioning and will suggest improvements. The purpose is to have a set of proper cybersecurity metrics to accommodate the size and complexity of your organization.
This is an example of a CISO dashboard, I have personally use to mange the outcome of compliance assessments.
I suggest bundle metrics into functional areas and focusing on the areas that are critical to your organization and your security team. You need a balanced approach to security metrics, so the signal to noise ratio is aligned and coordinated with your organization’s risk tolerance. There should be cybersecurity metrics that provide insight into administrative functions training, policy review compliance, governance and non technical . Other metrics are required to focus on the operational and technical side of security.
CISO DASHBOARD 1- Cybersecurity Lead Time
With the correct data a CISO can establish a cyber-security metric in which security controls and security projects can lead organizations to be more securely competitive.
As a Chief Information Security Officer, you must think through the impact of the cybersecurity program on your organization thoroughly and modify your metrics according to it. To measure the maturity of your security services, you will also need to develop some processes which you will find in metrics. These processes will provide you with the ability to measure your services against a specified standard.
Cybersecurity Administrative Metrics
- Percentage of metrical contracts that have been evaluated by the security function of the organization regulatory.
- Percentage of metrical contracts that require the evaluation of baseline security and privacy controls.
Human Resources (HR)
- Percentage of job descriptions that highlight each employee’s responsibility to protect the organization’s assets.
- Percentage of employees who have had a thorough background check, including investigation of previous criminal activity.
- Percentage of employees who have attended minimum annual security awareness training and passed an assessment that demonstrates retention of core concepts.
- Percentage of employees who have read, acknowledged and been tested on the organization’s security policy.
CISO Dashboard 1- Security Budget
- Percentage of IT budget allocated to cybersecurity
- Percentage of material vendors who have been audited either directly by the organization’s security function or via a third-party attestation
- Percentage of material vendor relationships that are accurately and completely inventoried and documented by the organization
Security and IT Operations
- Percentage of Known Assets Accurately
- Percentage of Known Systems Accurately
- Percentage of know Authorized and Unauthorized system
- Percentage of Information Assets Accurately Inventoried
- Percentage of Information Classified Accurately
- Percentage of Systems Documented and upgraded
- Percentage of systems that are still supported by the manufacturer or a validated third party
- Percentage of systems scanned for vulnerabilities
- Percentage of systems patched within a periodical time
CISO DASHBOARD 1- Password Policy Metric
- Percentage of systems password set never expire and no secure policy
- Percentage of systems have poor password or store password in plain text
- Percentage of systems with IP, PII, ePHI, or other sensitive data that leverage MFA
- Percentage of domain and system admin accounts that leverage MFA
Business Impact Assessment (BIA)
- Existence of a management-reviewed and approved BIA plan
- Date since the BIA was updated for changes to the business
- Number of high-risk business processes
Business Continuity Disaster Recovery (BP/DR) Plans
- The existence of a management-reviewed and approved BC/DR plan
- The date since the BC/DR plan was last tested
- Percentage of systems, processes, or applications that met RPO RTO objectives
- Percentage of job descriptions that highlight each employee’s responsibility to protect the organization’s assets
- Percentage of employees who have had a thorough background check, including investigation of previous criminal activity
- Percentage of employees who have attended minimum annual security awareness training and passed an assessment that demonstrates retention of core concepts
- Percentage of employees who have read, acknowledged and been tested on the organization’s security policy
Incident Response and Remediation
- Mean-Time-To-Incident Response and Remediation
- Number of alerts or incidents trialed by a security analyst
- Number of alerts or incidents detected every 24 hours
Incident Response (IR) Plan
- Existence of a management-reviewed and approved IR Plan
- Date since IR plan was last tested
The metrics serve as guideposts for risk management and security operations. depending on the size and complexity of the organization , there are many more metrics that can be used. The metrics mentioned above are designed to reduce high-risk blind spots within the organization and to ensure that, at a minimum, certain key planning documents exist, and specific core security functions (patch management, MFA, inventories, and vulnerability scanning) are in place.
Secure Your Organization’s Mind with Securemind.se