Olivier Le Moal - Fotolia
A presentation at RSA Conference 2016 discussed key performance indicators for cybersecurity. How do you determine...
KPIs for security? Why is it important to do so?
Key performance indicators, or KPIs, are quantifiable measurements agreed to ahead of time by an organization to determine whether they are achieving their goals. KPIs may change as the organization grows or when the goals have been achieved. Cybersecurity KPIs can be short and long-term goals that allow an organization to measure the effectiveness of its operation.
Service-level agreements may be a KPI for security, but there are other cybersecurity KPIs that should also be considered, such as staff retention and increase in customer satisfaction surveys. It is important to focus on KPIs that matter to your organization and business culture.
The reason companies use cybersecurity KPIs is because they are measurable. It is easy to determine if the cybersecurity group meets or exceeds expectations. Cybersecurity KPIs can be determined based on:
- Staff actions -- meeting SLAs in user provisioning, access request forms, remediation follow-up, daily periodic security monitoring results;
- System or technology events -- cybersecurity embedded into new technology or system tools and services, reduction in cybersecurity false positives;
- Internal processes -- staff retention, increase in customer satisfaction, state of security executive management reports, compliance audits; and
- External events -- breaches, attack detection and prevention.
So why measure cybersecurity with KPIs? There are several reasons, including:
- To demonstrate improvement in each of the four areas to measure;
- To justify the need for additional resources, whether they're staff, tools or services;
- To identify trends that indicate changes in the cybersecurity program or processes; and
- To provide executive management with assurance on cybersecurity or to indicate the need for focus in troubled areas.
Without KPIs, measuring cybersecurity performance is subjective and qualitative in nature. That may be acceptable in some organizations but quantitative measures are more difficult to dispute.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Discover these best practices for cybersecurity assessments
Learn more about security assessment services
Check out this list of goals to include in IT KPIs
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading