What is Cyber Security Performance Management?

Brian Thomas | November 14, 2019 | tag: Cybersecurity

Security performance management (SPM) helps security and risk leaders take a risk-based, outcome-driven approach to assessing and managing the performance of their organization’s cybersecurity program. With SPM, security leaders can continuously monitor and assess their organization’s current security state, analyze how security performance ranks against industry and peers, and create improvement plans that reduce cyber risk. 

SPM offers many tangible benefits. It drives accountability for security outcomes throughout the organization, helps align investments and actions with the highest measurable impact over time, and enables security and risk leaders to efficiently allocate limited resources on the most critical areas of cyber risk. It also breaks down communication barriers and facilitates easily understandable, data-driven conversations with the C-suite and Board.

Why cyber security performance management?

Cybersecurity is a top challenge for executives and Board members who want to be sure their organization is doing its best to avoid compromises and attacks. 

The stakes are high. A cybersecurity incident can result in the loss of intellectual property and customer data, reputational damage, and significant financial harm. Because of these risks, organizations are being held increasingly accountable for their security practices, outcomes, and failures. 

Yet, building defenses and protecting endpoints is no longer enough. Organizations need to be able to quantify the impact and effectiveness of their security investments and identify gaps in security performance. They must also set goals and make informed decisions to better manage the effectiveness of their tools, technologies, and people.

Security performance management helps companies address these challenges efficiently and effectively.

The case for cyber security performance management

Until recently cyber risk management has taken a traditional route. Organizations have relied on penetration testing and threat intelligence--complemented by occasional audits and security assessments--to determine risk levels. While beneficial, these approaches only offer point-in-time operational metrics, not a continuous view of how security programs are performing.

Communicating risk levels to senior executives has also proven to be a challenge. Highly technical security metrics must be summarized into easily understood insight for Board meetings. Yet, that data often lacks context. How are Board members to know if three security incidents a year is good or bad, or how security performance compares to the competition?

This is where security performance management comes into play.

Security ratings: a critical component

Security ratings are a key component of cyber security performance management. Security ratings are data-driven, objective, and dynamic measurements of an organization’s cybersecurity performance. 

Security ratings don’t rely on traditional techniques like penetration testing, questionnaires, or on-site visits. Instead, security ratings are valuable, objective indicators of an organization's cybersecurity posture. These ratings are derived from objective, verifiable information, such as infected machines, indications of compromise, misconfigured security controls, and positive or poor security hygiene (such as unpatched systems). They are typically created by a trusted, independent organization.

Armed with daily ratings, organizations can proactively identify, quantify and manage cyber security risk throughout their ecosystem. They can also see if there are any changes in their security infrastructure that could impact the rating, either positively or negatively, and then evaluate and close any vulnerabilities. 

The higher the rating (ratings range from 250-900), the more effective the organization is in implementing good security practices. In fact, BitSight research shows that companies with a security rating of 500 or lower are nearly five times more likely to experience a publicly disclosed data breach. 

Critically, security ratings are also a common language that can be spoken by both technical and non-technical individuals. In this way, security ratings enable conversations between cybersecurity/IT professionals and other members of an organization that can improve decision making.

Security ratings can also be used as part of a third-party risk management program to measure the effectiveness of a vendor’s security program and expose cyber risk across the supply chain. Check out our blog on third-party risk management practices for enterprises to learn more 

The payoff

In today’s high-stakes security environment, it’s critical that organizations understand how their security investments are performing. Only with this insight can they assure customers, investors and regulators that security is a priority; make it clear to executive management that security investments are paying off; and have productive conversations with their peers. Security performance management is a critical factor in enabling companies to achieve that understanding while helping them to identify vulnerabilities, set realistic goals, and strengthen cybersecurity over the long-term. 
Forrester Study - Security Performance Management

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


What are Cyber Security False Positives and How Can You Prevent Them?

Imagine you've alerted your IT team to a critical infrastructure error plaguing your network. You ask them to drop their current work and focus on immediate remediation of this detected vulnerability. After further investigation,...


Get the Weekly Cybersecurity Newsletter.