As cyber risk increases, business leaders are seeking greater visibility and understanding of their organizations’ security programs. Their goal is to understand where cyber security risks are, where to invest resources, and how these investments are paying off.
Yet the data generated by security platforms and reporting tools is sometimes very technical in nature and doesn’t provide a complete picture of risk. With less-technically skilled individuals on the board and in the C-suite taking on increasingly significant roles in cybersecurity oversight, it’s useful to provide more straightforward, aggregated information. Cyber security dashboards are an effective way to do this, especially for your board of directors.
By boiling down volumes of technical details into easy-to-understand metrics, you can facilitate data-driven conversations and communicate the broad spectrum of cyber risk your company faces.
Since each organization’s security priorities differ, there isn't a single approach towards creating the best report for your board. But here are some of the more commonly requested and valuable cybersecurity KPIs that can be integrated into any dashboard.
1. Security rating
A security rating is a critical metric that indicates your organization’s overall security performance and supports rapid and meaningful decision making by executives.
Similar to a credit score, Bitsight Security Ratings range in value from 250 to 900, with a higher rating equaling better security performance. Your security rating also provides insight into your organization’s likelihood of experiencing a data breach – companies with a rating of 500 or lower are nearly five times more likely to be breached than those with a rating of 700 or higher.
2. Average vendor security rating over time
Bitsight Security Ratings can also be used to continuously monitor the security performance of your vendors and third parties. With this insight, you communicate any risk in your vendor portfolio to the board so they can make data-driven decisions about third-party risk management (TPRM) policies.
While individual vendor security ratings are an important metric to monitor, be sure to track the average rating of all your vendors over time so that the board can see at-a-glance whether your TPRM program is getting results.
3. Patching cadence grade
Patching cadence is a measure of how quickly critical security patches are applied and can be graded on a scale from A to F.
Patching cadence is an important KPI, since a failure to apply patches in a timely manner can expose your organization to cyber risk. When Bitsight analyzed hundreds of ransomware events, we found that organizations that delay applying patches are more likely to be victims of ransomware. In fact, organizations with a patching cadence grade of D or F are seven times more likely to experience a ransomware event compared to those with an A grade.
4. Intrusion attempts within a given period
Intrusion attempts are unauthorized efforts to access your networks and are recorded by your intrusion detection/prevention system. In addition to communicating the true risk your systems face, this KPI can indicate whether improvements in your security program are having a positive impact over time.
5. Mean time to detect/resolve
Mean time to detect (MTTD) is a measurement of how long it takes your security team to become aware of a potential security incident and is an indicator of the effectiveness of your security operations. MTTD metrics can be sourced from your security incident and event management (SIEM) platform.
Mean time to resolve (MTTR) is also tracked by your SIEM and measures the time to remediate a threat after it has been discovered. If your MTTR is trending upwards, it could indicate that the board needs to allocate more resources to the security operations center.
6. Phishing test results
Phishing emails are among the most common attack vectors for ransomware. Performing a phishing test – sending mock phishing emails to employees and seeing how they react – is one of the best ways to determine the human-related risk your organization faces, as well as the urgency of security awareness. This KPI is available from the phishing simulation solution or managed phishing service provider.
7. Instances of shadow IT
It is becoming increasingly common for hackers to exploit shadow IT, such as cloud software and external devices and technologies that are connected to a company's network without the knowledge of the IT department. Since they are not vetted through the typical onboarding process, these non-approved technologies may have security standards that fall below your normal risk thresholds.
Monitoring and reporting instances of shadow IT isn’t easy. But with Bitsight Attack Surface Analytics, you can continuously discover hidden assets and cloud instances on your network – and their inherent risk to your business. With this insight, the board of directors can develop security policies and enforcement guidelines to reign in the risk posed by shadow IT.
Choosing the right KPIs
Choosing metrics for a cyber security dashboard for the board of directors can be a high-stakes exercise. The right KPIs can help executives and board members clearly understand the risks facing your organization and gain support for security budgets and programs. On the other hand, KPIs that are too technical or confusing can derail discussions or fail to gain traction.
Focus on metrics that aren’t reliant on guesswork, are accurate, and will be understood by individuals with non-technical backgrounds. The most important KPIs should also be calculated quickly and easily, and not require hours to export, manipulate, and calculate.
The list above is just a sampling of cyber security dashboard KPIs. For a more comprehensive list, check out 16 At-a-Glance Cyber Security KPIs to Add to Your Dashboard.