As the Chief Information Security Officer (CISO) let me ask you this: Are you establishing and measuring proper cybersecurity metrics?

If your answer is a resounding “no” or “I don’t know”, you are not alone. It is vital to establish effective measurements even though they probably will result in an increase in your overall cybersecurity budget. Got your attention now? Great – let’s take a harder look at the gaps and effective ways to establish measurements in this field.


Survey Says

Thycotic surveyed 400+ business and security executives from around the world with the purpose to develop Strategic Management Insight (SMI) from the gathered information. Here is what they found:

  • 80% of respondents failed to include business users in making cybersecurity purchase decisions
  • 58% scored a failing grade when evaluating their organization’s efforts to measure cybersecurity investments and performance against those practices and
  • 32% purchase cybersecurity technology blindly

In addition, this survey also found that CISOs are reporting on the WRONG Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).


What is a KPI?

Key Performance Indicators are used to evaluate an organization’s success at reaching certain targets. Selecting the right KPIs are company dependent and should start with your business objectives and how you plan on achieving them. This should be an iterative process that involves feedback from department heads and managers.

In the cybersecurity world, a KPI might be: “Through the implementation of cybersecurity policies, processes and monitoring tools, our objective is to have zero attacks in the next 12 months.” However, this KPI cannot be made in a bubble by the CISO; it needs to have the buy-in of all department heads that could be affected by a cyber-attack.


What is a KRI?

Key Risk Indicators are a measure to indicate how risky an activity (or lack of action) is for an organization. It is a metric for measuring the likelihood of if an event and if its consequence will exceed the organization’s risk appetite. They can be quantified in terms of percentages, numbers and time frames. The primary role of a KRI is to track trends over a period of time as these trends can be converted into early warning signals.

Cyber KRIs might be the following:

  • The risk of a cyberattack taking down your network and the operational cost (lost revenue, customers and productivity) for each day the network is down
  • The risk of being a victim of ransomware
  • The risk an employee will accidently or maliciously take down your system
  • The risk of not upgrading your operating system and applications


The Information Security Forum Can Help Develop KPIs/KRIs

The ISF offers a 4-step approach to developing effective KPIs and KRIs for your organization. This process revolves around the concept of identifying common corporate interests, making decisions relative to those interests and improving the process along the way.

It is vital to the success of this process to gather the data, agree to recommendations and confirm KPI/KRI combinations. Once these measurements are in place, you must test their effectiveness and change the ones that need to be more relevant to your business.


Shellproof Security is Here to Assist You
We can help you understand and reach effective KPI/KRI measurements in the arena of cybersecurity by testing in the following areas: external and internal network, web applications, physical and Wi-Fi.

Give us a call at 212-887-1600 to learn more about the ways we can help your small to medium sized business today!