Struggling to identify cybersecurity KPIs?

Every day businesses are forced to spend increasing amounts of precious management time and resources on cybersecurity as data breaches, threats and risks keep piling up. CIOs are asking senior management to spend more and more on risk assessment, incident management, consultants, specialized intrusion detection software and fancy, pricey network hardware.

Senior management is rightly asking: When will this investment end? How much is enough? Am I still at risk of a high-profile disaster, like Sony, occurring on my watch? CIOs can’t answer these questions meaningfully without some data from cybersecurity Key Performance Indicators (KPIs). However, CIOs struggle to identify, design, operate and report on meaningful KPIs.

Here’s a list of resources that will help you quickly define cybersecurity KPIs that are likely to be meaningful for your organization. These resources have been developed through the collaboration of many cybersecurity experts and practitioners. By using one of these resources you will have the assurance that your KPIs are reasonably comprehensive and that you don’t have glaring cybersecurity holes not covered by KPIs. The KPIs can be tracked and reported on easily.

A Taxonomy of Operational Cyber Security Risks Version 2
This Taxonomy of Operational Cyber Security Risks identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements.

You can use this taxonomy to quickly identify KPIs that are meaningful to your organization. You can then regularly report KPI statuses to management within the four, easy-to-understand classes.

Cybersecurity Self-Assessment Guidance
This Self-Assessment Guide takes a check list approach to evaluating cybersecurity readiness. While focused on Canadian federally regulated financial institutions (FRFIs), the self-assessment contains many good questions that any organization will find worth asking.

You can easily adapt this self-assessment to your organization and then quickly answer it quarterly. Now you have a basis for reporting cybersecurity progress or deterioration to your management.

The United States NIST Cybersecurity Framework
The NIST Cybersecurity Framework is broken into four elements: (1) Functions that organize security activities at their highest level, (2) Categories that subdivide functions into cybersecurity outcomes, (3) Subcategories that divide categories into specific outcomes and management activities, (4) Informative References that illustrate methods to achieve the outcomes associated with each subcategory. The NIST cybersecurity framework also defines four tiers that characterize an organization’s cybersecurity capability.

You can use this substantial framework to identify KPIs that are meaningful to your organization. You can then regularly report cybersecurity status to management using a set of KPIs associated with the four elements and the four capability tiers.

Critical Security Controls for Effective Cyber Defense
The Critical Security Controls focus on prioritizing security functions that are effective through twenty cyber security controls that have demonstrated real world effectiveness. The controls approach challenges the usefulness of taxonomies and frameworks like those listed above.

You can use the twenty cyber security controls to identify KPIs that are meaningful to your organization. You can then regularly report status to management using KPIs associated with the twenty cybersecurity controls.

These resources will help you cost-effectively define, operate and report on meaningful cybersecurity KPIs.

Can you share any examples of cyber security KPIs that you found effective? Do you have any experience using these four resources that you can share?

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Yogi Schulz
Yogi Schulz
Yogi Schulz has over 40 years of Information Technology experience in various industries. Yogi works extensively in the petroleum industry to select and implement financial, production revenue accounting, land & contracts, and geotechnical systems. He manages projects that arise from changes in business requirements, from the need to leverage technology opportunities and from mergers. His specialties include IT strategy, web strategy, and systems project management.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight