How To Effectively Measure Your Cyber Security Program

In order to reduce your business cyber risk you have to measure the effectiveness of your cyber security program to ensure you are allocating resources to initiatives that bring the largest return on investment.   An effective program helps with successfully achieving budget approval because the cost can be justified as it is based on data driven decisions. Cyber-attacks continue to increase against organizations of all sizes.

The risks of a successful attack can be crippling to an organization in terms of costs and brand damage. Executives and board members alike are asking tough questions on how secure their businesses are. Using effective criteria and metrics to measure the security program gives your senior leadership confidence that the security investments are used on the right things.

Success Criteria

Understand your business

As a security leader in your organization, it is vital to understand which business assets to protect and what level of security to put around those business assets. The following should be an ongoing process:

  • Inventory your business-critical systems, services and data. Know what systems are internal and what are external facing. How many critical systems reside in a cloud environment or a partner’s hosting facility? Ensure thorough Inventory everywhere your confidential data is stored, transmitted, and processed. This includes 3rd party partners and Cloud environments.
  • Business impact – What is the business impact if data in those critical assets are stolen, sold illegally or unavailable over time? Assess 1 day impact – 1 week impact – 1 month impact.  Establish your risk appetite.
  • Costs – Assess the financial impact if those assets are successfully attacked by a cyber criminal.  For example, if your company has an  ecommerce site, then it should not be difficult to ascertain how sales would be impacted if the services on your site are inaccessible for 5 minutes, 1 hour, 1 day or 1 week.

Having knowledge of your business will ensure you are protecting the right things. This knowledge will benefit you when speaking to executives and the board on securing your environment because you can speak in business terms they understand.

Understand the Threat Landscape

Understanding the threat landscape is equally important as understanding your business. It provides confidence you are protecting against the most impactful and timely cyber threats. A good example is Ransomware.  A few years ago, Ransomware was not as ubiquitous, and the costs of a successful attack were nowhere near the costs they are now.   Today, the costs of a successful attack can be in the millions of dollars. They can disrupt services for days, if not weeks. Placing your focus on protecting against ransomware must be a top priority in today’s threat landscape.

Some tips on how to better understand the threat landscape are:

Leverage threat intelligence

Security Reports. E.g., Verizon data Breach report or CrowdStrike’s Cyber threat reports Daily and weekly email or RSS feeds – E.g., US Cert security bulletins and Websites that provide updates on current attacks and tactics – E.g., SANS dShield

Use trusted security partners

They can assist in providing timely updates on high-risk attacks and how to protect against them.  They know your environment and will be able to provide context in their updates relevant to your organization.

Threat intelligence security modules

Security vendors sell threat intelligence tools which integrate with your existing security solutions to provide up to date defenses against current attacks.

Meaningful Metrics

Using meaningful security metrics is important to measure the effectiveness of your security program. Integrating your metrics with the current threat landscape along with impact analysis on your critical systems, services, and data will allow you to show the effectiveness of your security controls. This will help with communicating cyber risk in business terms to your leadership group.  Although there are metrics which would be specific to an organization’s risk appetite, there are some common metrics that should be used or customized. See below for a few metrics:

  1. Security patching cadence
  2. Employee click rate on scheduled phishing tests
  3. Statistics on security awareness training enrolment and completion
  4. Reported cyber security incidents
  5. Ability to detect unidentified systems on the network.
  6. Number of assets on the network and reports on them running up to date and supported Operating Systems
  7. Type of attacks on your critical systems.
  8. Malware infection rates
  9. Length of time to respond to a cyber security incident
  10. Length of time to contain a cyber security incident

These are just a few security metrics to use when measuring their security program.  We will post another article soon dedicated to effective security metrics.

How Brockton Point Solutions Can Help

Brockton Point Solutions can be your trusted partner to build or improve on your cyber security maturity. We will help build metrics to effectively measure your security program. Whether your organization is establishing a cyber security program or wish to improve your existing program, we are here to help.  With our risk assessment, governance and compliance services, we can assess your current program, identify what works and what does not work, and build a more mature program with you.  Members of the Brockton Point team have over 15 years’ experience in Cyber Security. We are excited to help organizations further mature their security program. Reducing your cyber-risk to a manageable level is important when running a business. Having an effective way to measure your program helps reduce that risk.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top