Lack of Cyber Metrics Hamper U.S. Ability to Respond to Cyberattacks

Lack of Cyber Metrics Hamper U.S. Ability to Respond to Cyberattacks

As the nation struggles to come to terms with the coronavirus and questions linger around our readiness for such a pandemic, government leaders are already grappling with the next potential catastrophe — a major cyberattack against the U.S.

A new report issued by the federal Cyberspace Solarium Commission, a congressional body chaired by Sen. Angus King and Rep. Mike Gallagher, opens with a dire warning: that the country is “dangerously insecure in cyber” and “…is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our elections,” reports Dark Reading.

In response to this threat, the Commission published more than 75 recommendations to lawmakers on ways in which public and private entities can strengthen their security posture to reduce the probability and impact of cyberattacks.

Lack of clarity hampers cybersecurity risk reduction

Yet even as cyber incidents are increasing in frequency and severity, the report acknowledges a major roadblock to achieving this goal: that both the U.S. government and broader marketplace “lack sufficient clarity about the nature and scope of these attacks to develop nuanced and effective policy responses.”

Much of the problem lies in the fact that official data sets are incomplete and provide only a superficial or cursory understanding of evolving trends in cybersecurity. The Department of Justice gathers data on cyber-crime, but the data is woefully out-of-date. Meanwhile, the FBI Cyber Crime division collects statistics on the monetary cost of cybercrime, but only on cases that it deals with. And while many industry titans in the cybersecurity sector assemble vast amounts of data about the true state of cybersecurity in the U.S., they are not obligated to disclose it.

This makes it hard for government and private companies to model and understand cyber risk and tell if they’re making progress defending their systems.

How a proposed Bureau of Cyber Statistics could help

In response to these data gaps, the report calls on Congress to establish a Bureau of Cyber Statistics within the Department of Commerce. The Bureau would collect, process, analyze, and disseminate essential data on cybersecurity, cyber incidents, and the cyber ecosystem. In partnership with NIST, the Bureau would use this data to help inform Americans of risk, drive greater risk reduction, and assist the government in crafting more effective cyber policy and programs.

But the responsibility for measuring cyber risk shouldn’t lie with the government alone. Whether or not these recommendations become law, the Cybersecurity Solarium Commission has identified serious shortcomings in the nation’s cybersecurity posture. Considering this, every organization has an obligation — to their customers, partners, investors, and employees – to apply meaningful metrics to cybersecurity performance.

16 Cybersecurity KPIs

We’ve compiled 16 valuable, easy-to-understand cybersecurity and cyber risk KPIs that can be integrated into a dashboard for any member of an organization who wants to become more aware of cyber risk.

After all, information is power. Without a commonly defined quantification of risk, organizations struggle to know where and how to prioritize their security investments.

One way to address this challenge is to utilize security ratings.

Security ratings: A powerful metric for revealing hidden cyber risk

Security ratings are a data-driven, objective, and dynamic measurement of an organization’s cybersecurity performance that provide much-needed visibility into cyber risk and help identify gaps in security programs.

Unlike traditional cyber assessments that provide a point-in-time risk metric, security ratings work by continuously monitoring digital assets for risk, such as unpatched systems, insecure access points, misconfigured software, and malware. They provide quantitative metrics to the assessment process.

Armed with daily ratings, organizations can proactively identify, quantify, and manage cyber security risk throughout their ecosystem. For example, Bitsight Security Ratings range from 250 to 900, with a higher rating equating to better overall security posture. In fact, companies with a rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.

Bitsight Security Ratings can even be used to measure cyber risk across third, fourth, and nth parties in an organization's supply chain. This helps prevent exposure to risk from vendors and partners.

With this data-driven measurement of security performance, companies can quickly and efficiently allocate their teams’ limited security resources and investments to the most critical areas of cyber risk. They can also facilitate data-driven, risk-based conversations about cybersecurity among key stakeholders, including the board, C-suite, investors, and partners, and more.

Meaningful metrics and data are critical to cyber risk reduction

IT security leaders are always trying to find better ways of identifying and understanding cyber risk. As the findings of the Cybersecurity Solarium Commission show, having accurate metrics brings much-needed clarity to the process — inside and outside the corridors of government.

Security ratings compliment the government’s efforts to create a Bureau dedicated to making risk easier to identify, understand, and reduce. They are the type of non-traditional, outside-the-box, data-driven security solution that the Cyberspace Solarium Commission is recommending.