Olivier Le Moal - Fotolia

Manage Learn to apply best practices and optimize your operations.

Why are cybersecurity KPIs important for enterprises to determine?

Cybersecurity KPIs are important for enterprises to determine when setting up a security program. Expert Mike O. Villegas discusses why and what a KPI for security should be.

A presentation at RSA Conference 2016 discussed key performance indicators for cybersecurity. How do you determine...

KPIs for security? Why is it important to do so?

Key performance indicators, or KPIs, are quantifiable measurements agreed to ahead of time by an organization to determine whether they are achieving their goals. KPIs may change as the organization grows or when the goals have been achieved. Cybersecurity KPIs can be short and long-term goals that allow an organization to measure the effectiveness of its operation.

Service-level agreements may be a KPI for security, but there are other cybersecurity KPIs that should also be considered, such as staff retention and increase in customer satisfaction surveys. It is important to focus on KPIs that matter to your organization and business culture.

The reason companies use cybersecurity KPIs is because they are measurable. It is easy to determine if the cybersecurity group meets or exceeds expectations. Cybersecurity KPIs can be determined based on:

  • Staff actions -- meeting SLAs in user provisioning, access request forms, remediation follow-up, daily periodic security monitoring results;
  • System or technology events -- cybersecurity embedded into new technology or system tools and services, reduction in cybersecurity false positives;
  • Internal processes -- staff retention, increase in customer satisfaction, state of security executive management reports, compliance audits; and
  • External events -- breaches, attack detection and prevention.

So why measure cybersecurity with KPIs? There are several reasons, including:

  1. To demonstrate improvement in each of the four areas to measure;
  2. To justify the need for additional resources, whether they're staff, tools or services;
  3. To identify trends that indicate changes in the cybersecurity program or processes; and
  4. To provide executive management with assurance on cybersecurity or to indicate the need for focus in troubled areas.

Without KPIs, measuring cybersecurity performance is subjective and qualitative in nature. That may be acceptable in some organizations but quantitative measures are more difficult to dispute.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover these best practices for cybersecurity assessments

Learn more about security assessment services

Check out this list of goals to include in IT KPIs

This was last published in October 2016

Dig Deeper on Risk assessments, metrics and frameworks