While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals remains challenging.
Other departments have simple numbers that indicate their performance, like new leads, sales per month, ticket resolution time, or revenue. Cybersecurity, meanwhile, is much more difficult to quantify.
Choosing the right KPIs to represent your cybersecurity program can be a high-stakes exercise. In a report to the Board, for example, good KPIs can make the difference between an approved budget or slashed resources.
To help with your next report, we put together 6 cybersecurity KPI examples that can be used to communicate cyber risk and security performance to non-technical personnel.
In compiling this list, we tested potential KPIs against the following criteria:
Does it accurately communicate something important about cybersecurity performance? Metrics that rely too heavily on guesswork or have large margins of error do not make good KPIs. Accurate metrics that focus on insignificant areas of cybersecurity aren’t helpful either.
Is it easily understood, even by individuals with non-technical backgrounds? The individuals reading your report should be able to comprehend it without you being in the room to explain it to them.
Is it relatively simple to calculate? Good KPIs should be checked often in order to track progress over time. If you have to spend hours exporting/deriving/calculating a metric, those hours will add up over weeks and months.
In a security context, mean time to detect (MTTD) is a measurement of how long it takes the cybersecurity team or security operations center to become aware of a potential security incident (on average). This statistic should be relatively simple to find on your security incident and event management (SIEM) platform.
MTTD shows readers of your report how long security threats are going unnoticed within your organization’s systems. Long MTTD timeframes can indicate an increased risk of threat actors accessing sensitive data.
Mean Time to Resolve
Mean time to resolve (MTTR) is similar to MTTD, but accounts for how long it takes the cybersecurity team or security operations center to remediate a threat after it has been discovered. This can also be calculated using data from your SIEM.
If MTTR times are increasing, that indicates to the readers of your report that more resources are needed in order to mitigate cyber threats.
BitSight Security Rating
A BitSight Security Rating is a metric for describing overall cybersecurity performance based on externally observable indicators. The rating is informed by data from over 120 sources on compromised systems, security diligence, user behavior, and data breaches.
Your BitSight Security Rating, which is presented as a number from 250 to 900, indicates overall security performance. It also gives you a sense of your likelihood of experiencing a data breach; companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to experience a breach than those with a rating of 700 or higher.
Unlike the other KPIs in this list, BitSight Security Ratings communicate a big-picture view of cybersecurity performance. That makes them an excellent choice for reporting and benchmarking.
Patching Cadence Grade
In addition to an overall rating, the BitSight Security Ratings Platform offers A-F grades for specific risk vectors. Your grade for patching cadence indicates how long it takes your security or IT teams to apply critical security patches on average, as compared to other organizations
A good patching cadence grade can help communicate to the readers of your report that your department is taking proactive steps to help prevent cyber attacks and data breach. On the other hand, a poor patching cadence grade represents an issue that should be resolved as soon as possible.
Average Industry Security Rating
In addition to giving users visibility into their own security ratings and those of third parties, BitSight provides average security ratings for entire industries.
Seeing the average security rating of your industry displayed alongside your own security rating can help you contextualize your cybersecurity performance. Doing much worse than the industry average is a sign that increased resources and attention need to be devoted to cybersecurity. Doing much better than the industry average is a sign of a mature cybersecurity program, and can be used to demonstrate your success to the Board or C-suite.
Phishing Test Success Rate
User-related cybersecurity efforts are extremely important, but are difficult to quantify. If you’ve conducted phishing tests to assess your employees’ ability to detect fraudulent emails or messages, the results of those tests can act as a great KPI.
Phishing was the third most common action variety in data breaches in 2017. It’s a tried and true cyber crime method that doesn’t require breaking through advanced firewalls and other technical defenses. An indicator of what percentage of your employee population is falling for phishing attempts gives the readers of your report a sense of the human-related risk their organization faces. This KPI can be used to ask for additional funding for security awareness training.
Security ratings, or cyber security ratings, are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address...
While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...