Cybersecurity key performance indicators (KPIs) measure the efficacy of an organization’s cybersecurity program. In a rapidly changing threat landscape characterized by new identities, environments and attack methods, many potential KPIs exist to track. Measuring too many things can be distracting or misleading, while not measuring enough can create gaps in understanding and protection. It’s up to the CISO to not only define the right cybersecurity metrics for the business but also contextualize and communicate them effectively to the Board.
Establishing the Right Cybersecurity Reporting Framework
Most enterprises have outlined core initiatives—from business transformation to product innovation—to focus company-wide efforts on the same important areas. As part of this, most organizations will define at least one (and often multiple) cybersecurity-specific initiative and set clear objectives and key results (OKRs) to help enact their strategy. Tactical KPIs are then defined to help teams formulate work plans and track progress against these initiative-specific OKRs.
Here’s an example of how an organization that delivers customer-facing services in the cloud might structure its cybersecurity measurement and reporting framework:
1. Objective: Our core objective is “securing our cloud workloads” to protect our customers’ data and business from damage caused by a customer-facing compromise.
2. Key Results: We will track four key milestones to achieve this objective: 1) mitigate the risk of a complete cloud takeover; 2) mitigate the risk of privileged cloud users; 3) secure all local OS layer access; 4) secure all mission-critical applications.
3. KPIs: We will align a set of KPIs to each milestone. For example, to reduce the risk of complete cloud takeover (milestone 1), we will track five specific metrics: 1) the number of cloud admins secured by SSO and MFA; 2) the number of cloud admins—and number of cloud admin API access keys—secured by privileged access management (PAM) controls; 3) the percentage of compliant accounts/keys; 4) the percentage of shadow admins removed; 5) the percentage of excessive permission exposure.
Since each organization’s cybersecurity objectives are unique, there is no comprehensive “one-size-fits-all” list of KPIs to track. However, industry resources such as CISA’s Cybersecurity Performance Goals (CPGs) and the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) can serve as helpful guides.
Optimizing Cybersecurity: Measuring What Matters Most
Effectively measuring and communicating progress across lines and levels of business can be challenging. As a CIO, I understand this more than most. Based on my own experiences and valuable insights gleaned from fellow technology leaders, here are some essential factors to consider as your organization matures its cybersecurity reporting strategy:
Stay flexible and iterate often. KPIs aren’t meant to be static. Your measurement approach will inevitably change as business objectives, security tools and processes evolve over time. It’s important to get everyone in the same room when evaluating potential changes to ensure that you’re tracking the most relevant data. At CyberArk, I host quarterly KPI management meetings with our CISO and other business leaders to discuss where we are and what KPIs need to be adjusted, removed or added. These discussions are critical because security doesn’t happen in a silo. The CISO and the security team champion it. Still, it’s also happening as the R&D team addresses product issues or the IT infrastructure team sets up a new cloud security platform, for example. These discussions help to connect the many dotted lines between teams, roles and programs and keep everyone in sync.
Assessment cadences can also vary significantly from KPI to KPI. For instance, a vulnerability steering committee that tracks the number of exploitable high-severity vulnerabilities in the environment may meet bi-weekly to determine patching priorities. In contrast, risk tracking and re-prioritization may happen monthly.
Integrate cultural change metrics. Understanding the strength of your organization’s security culture requires a very different set of metrics—one that examines the “softer,” more people-centric dimensions of cybersecurity, such as employee behavior, cybersecurity awareness and compliance with organizational policies.
The phish-prone percentage (PPP) metric is one of the most effective ways to baseline, then routinely measure, a company’s vulnerability to phishing and social engineering attacks. This typically involves an organization-wide simulated phishing exercise to identify how many employees will a) click on a phishing link and b) report their error. With this empirical data, organizations can tailor their cybersecurity training curricula to help employees recognize red flags and improve their cybersecurity hygiene. Security teams can also tap into the user behavior analytics within their security tools to better understand employee behavior patterns and address potentially risky habits.
Exercise focus. Focusing on less can sometimes help you accomplish more. Some organizations have abandoned traditional reporting structures completely, opting to define one “super” KPI instead. For example, suppose we focus solely on the metric of mean time between incident detection and remediation (MTTR); how do we build an entire program around decreasing this metric to one minute or less? This extreme approach won’t work for every organization, but it underscores the discipline of focus in moving the needle.
Communicate visually for maximum impact. Ransomware, digital supply chain attacks and AI-fueled threats have catapulted cybersecurity to the top of the Board’s agenda. The newfound alignment between board members and their CISOs on cyber risk and preparedness is a good thing, yet it puts even more pressure on CISOs to demonstrably answer the question of “Are we secure?”
I’ve found heat map visualizations to be highly effective communication tools for Board meetings. These allow CISOs to distill numerous cybersecurity KPIs into easily digestible risk snapshots. When coupled with a strong narrative, heat maps can illustrate the company’s current risk posture, how risk has changed over time (by directly correlating implementation milestones achieved with decreasing risk levels), and what still needs to be done to meet stated objectives. When board members have specific questions, CISOs can provide supporting details without taking their executive audience to the “factory floor” of tactical KPIs and workflows.
Don’t underestimate the human element. Even the best data reporting structures and dashboards have their limits, for cybersecurity isn’t just science—it’s an art form. Understanding the best ways to protect your organization from ever-morphing threats and effectively measuring your ability to do so takes creativity, critical thinking and tight collaboration. Tap into these uniquely human attributes to enhance your strategy and celebrate team contributions often.
Back in the 1500s, Galileo taught followers to “measure what can be measured and make measurable what cannot be measured.” But if he could experience today’s data-deluged world, I bet he’d tack on “measure what matters most” to the end—especially when it comes to cybersecurity KPIs.
That’s all for now but check back soon for my take on the CrowdStrike outage, its far-reaching implications and strategies for strengthening digital resilience.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.
