Many industry voices have been calling for change in the way that cybersecurity teams measure organizational success. For years, businesses have benchmarked their security strength based on the size of their budget, team size, tool stack, and meaningless performance metrics. The gap between achievement and performance has never been higher, as noted in a series of recently published articles discussing these issues, titled What are our Cybersecurity Teams Truly Achieving and Using KPIs Can Make your Teams More Effective.
As a prime example of this phenomenon, look no farther than the infamous Equifax breach. Even though Equinox touted an $85M security budget, a large security team, and a significant vulnerability management operation; it took 76 days to identify the breach, 145 days to patch, and over two weeks to identify their CEO of the breach. Equifax was hitting all the right traditional benchmarks of excessive cybersecurity spending, tool stack, and team size; but without a way of measuring their cybersecurity performance effectiveness, it was all for naught. It’s easy to look at these surface level metrics and not realize that they only describe what resources we have available and not what resources are being utilized to their full effect. When organizations look at all the wrong performance metrics, it becomes easy to lose sight of the KPIs that tell you the actual story for how strong your organizations’ cybersecurity performance is.
If we are asking the wrong questions, then what are the right ones? Generally, that would be metrics that actually measure how well your teams are performing in their duties. The article lays out quite a few examples:
- What percentage of your endpoints are actually scanned for vulnerabilities and how often?
- What percentage of your endpoints are tagged in accordance with company policy?
- What is the average age of critical vulnerabilities on your network? How many vulnerabilities exist that exceed your time to remediate policy?
- Which departments or teams are performing better than others, and by how much?
- How are all of the above progressing over time? What is your baseline and what are you improving?
These metrics measure how your team is performing on a day-to-day basis as opposed to the traditional benchmark statistics. Tracking more meaningful cybersecurity performance indicators is imperative to increasing the performance of your security operations, because it doesn’t matter how much money you spend on tools or cybersecurity frameworks if your team fails to do the basics.