Security Ratings

Cybersecurity Metrics Your CIO Expects You to Know

Alex Campanelli | September 14, 2018

Creating a third-party vendor risk management program is a top priority in today’s threat landscape. It’s critical to not only put a program in place, but understand the cybersecurity metrics you should be looking at within your own organization (and for your third parties). These metrics should dive deeper than “yes” or “no” questionnaire answers, and help you gain a more comprehensive understanding of where you (and your third parties) fall when it comes to proactively mitigating cyber risk.

Below, we’ve outlined the most important cybersecurity metrics you should start monitoring right away.

Top Cybersecurity Metrics To Begin Tracking

1. Number of botnet infections per device over a given period of time.

This is the top cybersecurity metric that every organization must monitor. By examining how many botnet infections have taken place on your network—and what types of botnets you’ve dealt with—you can better prepare for (and protect yourself against) these types of attacks as well as learn from previous examples.

For instance, if your organization is able to successfully track this metric, you may be able to shorten the detection deficit. The quicker you can identify a security breach or incident and fix it, the less likely you are to have something catastrophic happen to your organization. In other words, the greater the speed at which you can identify that something is happening on your network and appropriately respond to it, the greater the likelihood of preventing the hacker from getting a foothold in your organization. If you’re able to keep that amount of time as close to zero as possible, you’ll be in far greater shape.

The problem is, many organizations don’t just have a gap of minutes between the intrusion and the solution—sometimes it takes them hours, days, weeks, or even months to identify and remediate a security breach. his is where the term “detection deficit” comes in. By closely monitoring the number of botnet infections that take place on your organization’s network and the time it takes you to remediate those infections, you will be taking important steps toward reducing this deficit.

2. Percentage of employees with user access who are monitored.

Whether through an insider that has decided to go rogue or an external attacker who is trying to take advantage of someone’s user privileges, gaining control to “the key to the kingdom” gives a hacker everything they need to take control of a corporate infrastructure and cause significant damage. Knowing who has super-user access and monitoring those individuals closely for internal or external issues is a very important metric for this reason. Also, this will provide you with valuable insight to determine whether you’re providing too many individuals with unlimited network access, so you can reduce privileges to those individuals who actually need it.

3. Percentage of critical third parties whose cybersecurity effectiveness is continuously monitored.

Traditional vendor risk management practices only offer you a snapshot view of a vendor’s security posture at a single point in time. Even if you perform audits, penetration tests, and vulnerability scans, you still won’t know what’s going on with your vendors’ security on a day-to-day basis. But continuously monitoring vendors’ risk allows you to look at the third parties you’ve deemed as critical — usually those who have access to sensitive data or direct corporate network connections — and determine in real-time how they’re performing in regard to cybersecurity. This will allow you to make data-driven decisions about those vendors that are top priorities for your business.

So what cybersecurity metrics is your CIO looking for?

There are many different metrics that the CISO or CIO collects to measure the performance and effectiveness of its security program. But only a select number of these metrics hold enough weight to be reported to the C-suite. The information security metrics and measurements that make it to the Boardroom should be presented in a language the Board understands, and should speak directly to whether your company is taking the right steps toward security.

Below are four key cybersecurity metrics consider reporting to your Board:

1. Company vs. Peer performance

The top metric for Board-level reporting today is how your organization’s cybersecurity performance compares to the peers in your industry. This information is usually is easily digestible, visually appealing, and highly compelling, which makes it a top choice for a Board presentation.

You can gather this metric most easily through a security rating. The example below is a screenshot from the BitSight Security Ratings platform, which allows you to easily benchmark  your security performance to a number of your industry peers and competitors over a period of time.BitSight-Security-Ratings-Benchmarking

2. How quickly can our organization identify and respond to incidents?

It is important to differentiate between a vulnerability and an incident. A vulnerability is a flaw that could potentially be exploited, where an incident is an actual exploitation or compromise of a system.

Of course, once something bad has happened on your network, responding appropriately must be a priority. All cybersecurity programs are measured by how quickly the organization can measure and respond to incidents, because the quicker the programs can eliminate the malware, the less damage is likely to be done. Unfortunately, many companies let malware dwell on their network for far too long, which allows the hackers greater opportunities to compromise their systems. This is often because the organization isn’t aware of the intrusion in the first place.

There are a number of different ways to measure incident response rates. You can:

  • Use security ratings to get actionable data about an incident right away.
  • Identify a security incident on your system, shut it down, and manually record your own response time.
  • Learn about an incident through a third party, such as law enforcement, and find out through them when an incident occurs based on their information.

Many organizations use a combination of their own internal processes and external resources for quantitative measurement. Regardless, the more visibility you have into your network, the better you’ll be able to monitor this metric. Once you’ve monitored this successfully, you can benchmark your remediation time and compare it within your organization historically and to your peers.

3. Do we have any outstanding high-risk findings open from our last audit or security assessment?

Whether your last audit or assessment was done in-house or by a third party, it will typically include a number of suggestions in regards to improving your organization’s cybersecurity posture. The recommendation from the audit committee is almost always to patch any high-risk findings immediately. If any of the high-risk audit findings have not yet been completed in the time frame recommended, your Board should definitely know about them.

4. Patching Cadence

This metric involves determining how many vulnerabilities you have in your system and how many critical vulnerabilities have yet to be patched. To understand the importance of patching cadence, consider software. When a new update comes out for a system you already have in place,or when you purchase a new software solution, it may have bugs or vulnerabilities that are found post-deployment. Patches for these vulnerabilities become available regularly—but they don’t do any good unless they’re applied immediately. Thus, frequent patching cadence can reduce the number of vulnerabilities in your company’s system.

If you want to improve your third-party vendor risk management program or get a better look at vendor’s security posture, you’ll need to use several important metrics. These will help you monitor where you stand now and where you’re headed.

Key Performance Indicators For Evaluating Each Of Your Vendors

1. Amount of time it takes your vendors to immediately remediate vulnerabilities.

This is also known as “patching cadence” and it involves determining how many vulnerabilities your vendors have in their system and how many of the critical vulnerabilities have yet to be patched.

For instance, one of your third parties may purchase and deploy a new piece of software which could have a number of vulnerabilities that the software company releases patches for. It is critical for you to monitor how quickly your vendor is able to patch each of these vulnerabilities, because leaving vulnerabilities unpatched can increase the likelihood that the vulnerability will be exploited (and potentially exposing your sensitive data).

2. Time it takes your vendors to respond to security incidents.

A security incident is an actual exploitation of a system — not just the threat of it. So you will be concerned with how quickly your third parties are able to identify threats and respond to them appropriately. Not surprisingly, the longer it takes for these incidents to be shut down, the greater the chance that your data will also be compromised.

The catch here is that virtually no third party will want to provide you with these metrics. They may not be tracking this metric themselves, or they could be performing poorly and don’t want to share that with you. Typically when you use traditional vendor monitoring methods, there are a limited number of things you can understand about a third party’s cybersecurity effectiveness. You can view recent audits, conduct assessments, perform on-site interviews, and review documentation, but these methods take time and are completely subjective.

Because of this, having a tool like BitSight Security Ratings that is able to alert you to potential security incidents when they happen is highly useful — not only for your vendors, but internally as well.

Request your Security Ratings Snapshot report to find the gaps in your cybersecurity program and see how your security posture compares to industry ratings snapshot 

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...


Subscribe to get security news and updates in your inbox.