If someone asked you, “How successful is your company’s cybersecurity program?” would you know how to respond?

For the past several decades, cybersecurity has been a somewhat nebulous concept to senior executives — a collection of procedures and protocols managed mostly by IT and rarely understood by anyone else. Unlike other business processes, like sales and marketing, it wasn’t easily measurable or quantified.

That is, until now.

Today, security performance is not only much more clearly defined, but it’s also highly trackable. (And, perhaps best of all, it’s no longer resting solely on security pros’ already-overburdened shoulders.)

To help you get started, we’re sharing a useful breakdown of how (and why) you should measure your security performance.

Photo by You X Ventures on Unsplash

How to Measure Your Organization’s Security Performance

Technology is always evolving and growing in sophistication. Unfortunately, so are the threats it brings to your organization.

Because the playing field is always changing, it can seem nearly impossible to measure how well existing efforts are performing. That’s likely why a sizable 58% of global business and security executives’ security self-evaluation methods scored a failing grade, according to data shared by CIO.

(In other words, if you’re not monitoring or measuring your cybersecurity performance, you’re not alone.)

As the saying goes, you can’t manage what you can’t measure. So, the first step is to decide what metrics you want to track. Here are a few examples:

  • Time to Detect (TTD): What’s the average time it takes for your team to detect a potential security incident?
  • Time to Contain (TTC): What is the average time it takes to contain identified attacks?
  • Time to Resolve (TTR): What is the average time it takes to respond to a threat or incident?
  • Incidents Reported: What is the average number of incidents your organization has experienced over a defined period?
  • Workforce Preparedness: What percentage of your organization’s employees are fully trained on your organization’s cybersecurity processes and best practices for mitigating risk? 

    Photo by Adam Nowakowski on Unsplash

Once you’ve chosen your metrics, it’s time to set benchmarks. That is, evaluate your performance over the past month, quarter, or year. Then, monitor these metrics moving forward to determine whether you’re improving.

For example, if you measure workforce preparedness (and we recommend you do), then you’ll need to identify which teams or individuals are most and least secure. If you’re able to reduce their riskiness over time by educating your workforce and holding employees accountable, then you know you’re improving your overall performance.

Photo by ThisisEngineering RAEng on Unsplash

Why You Should Begin Measuring Your Security Performance ASAP

We know what you’re probably thinking — don’t security teams already have enough on their plates? Wouldn’t measuring and tracking security performance only add to their already gargantuan workload?

While identifying your metrics, setting benchmarks, and regularly tracking progress can seem time-intensive, it doesn’t have to be. Once you’ve done the initial work to set it up, your only job is to review performance on a consistent basis (and determine whether all the work you and your team are doing to reduce risks and boost protections is as effective as possible).

This solves two significant challenges security teams face:

  1. It gives you insight into which efforts yield the best results
    No one wants to waste time spinning their wheels. And while you have enough expertise to know which products and processes are most likely to drive the most success — it’s useful to have visibility into your performance.
    For example, you may assume the annual cybersecurity refresh you provide employees is enough to ensure they’re taking all the right precautions online — like using strong passwords and not sharing credentials. But imagine if you had insight into who is taking these practices seriously, and who is engaging in risky behavior? Having this intel could help you prevent incidents before they occur.

  2. It helps you communicate your value to senior executives
    Today, most c-suite execs understand the importance of a powerful cybersecurity program (or, at least, the tremendous costs involved when they don’t have one). Yet, they don’t always recognize exactly what great security entails — including the time, energy, and budget required to keep their organization safe.
    Because most senior decision-makers are concerned about the bottom line above all else, it’s not uncommon for leaders to question whether certain elements of the security program are essential or providing tangible value.
    When you have hard numbers to prove your performance, it’s easier to communicate what you and your team bring to the table. This data also comes in handy when you’re requesting additional budget or headcount.

Security performance measurement is an evolving science, and, as we move forward, it’s only going to become easier and more important to evaluate your efforts. In fact, in light of new data regulations, it will likely become mandatory. By beginning the process now, you’ll be ahead of the game.

Want insight into which employees are supporting your organization’s security and which are slacking? Now you can. Learn more about HackNotice Teams.