Against a backdrop of increasing and more sophisticated cyber threatsthreats, investment in cybersecurity is becoming a strategic imperative. And this is where cybersecurity performance evaluation comes in. The development of KPIs and dashboards makes it possible to assess the effectiveness of a company's security posture, to highlight gaps, to facilitate decision-making (at both strategic and operational levels), and to defend cybersecurity investments.
How to define relevant cybersecurity KPIs? How can we assess our performance on an ongoing basis and interpret the results? How can we go beyond a purely technical approach to cybersecurity performance?
Why and how to define cybersecurity KPIs?
What is a cybersecurity KPI?
In its Guide d'élaboration de tableaux de bord de sécurité des systèmes d'information, ANSSI defines an indicator as "statistical data combining the measurement of one or more key points and used in comparison with a history, target value(s) and/or threshold value(s)".
The use of KPIs is therefore geared towards performance evaluation.
These KPIs enable us to visualize the trajectory and effectiveness of a security policy, and the relevance of the strategy and actions taken. These metrics must be adapted to the safety objectives and context of each organization. Performance indicators can be divided into two main categories:
- Operational indicators (number of vulnerabilities, frequency of updates, number of security alerts, etc.).
- Strategic indicators (status of information system security policy implementation, monitoring of security controls, etc.).
How do you choose the right metrics and KPIs?
The choice of performance indicators is linked to the objectives (business objectives and safety objectives) of each organization. It's up to the organization to define the most relevant metrics in the context of its activity, industry regulations and the expectations of management/COMEX. KPIs therefore need to be clear, cost/benefit oriented and translated for non-technical profiles.
Choosing relevant, personalized KPIs requires a thorough understanding of your information system - and therefore of its scope and technical characteristics - and the identification of the risks it faces, while taking into account your organization's cyber maturity. Setting up cybersecurity KPIs is an ongoing process, which must be able to adapt constantly to changing threats.
How can you continuously assess your cybersecurity performance?
Cybersecurity performance analysis is geared towards improving decision-making and efficiency (prioritizing security actions, vulnerabilities to be corrected, decisions to be made during an incident response phase, etc.). Various approaches and tools exist to achieve this objective.
Mapping your information system
Considered by ANSSI as an essential tool for mastering your information system, IS mapping brings together a significant number of KPIsincluding :
- Asset inventory
- Number of assets exposed on the Internet
- Number of assets without BDU
- Number of assets storing sensitive/critical data
- Shadow IT asset counting
- Vulnerability detection and correction (patch management)
- Identification and authentication failures
This list is far from exhaustive, and each organization can aggregate the data it needs to meet its security objectives. Interpreting these different performance indicators requires correlating them and, above all, monitoring their evolution over time. Drawing up an information system map is an integral part of a performance evaluation process, particularly useful for any organization wishing to accurately assess its attack surface, or to identify Shadow IT in order to better reduce it.
Perform penetration tests and simulate attacks
What better way to assess your cybersecurity performance than to test your IT system's ability to withstand intrusion tests and simulated attacks? These exercises provide a realistic assessment of performance, and can bring out particularly edifying KPIs, such as Mean Time To Detect (MTTD), Mean Time To Resolve (MTTR), etc.
Intrusion tests and attack simulations help to assess the performance of security systems and procedures in place. They also help to clarify roles and responsibilities. The result: better protection and response to security incidents, thanks to capitalization on past incidents and pentests. This improves decision-making and the prioritization of actions to be taken in the event of an incident.
Proactive malware monitoring
The ultimate aim of cybersecurity performance measurement is to improve security posture. So it's only logical that malware monitoring - via dedicated tools - should be an integral part of the process. A tool like Malwarebytes, for example, offers real-time protection against ransomware, malware, spyware and adware. A tool like TotalAV (antivirus), on the other hand, detects and removes viruses, while offering additional features such as system optimization, privacy protection, secure browsing, phishing protection and file access control.
Use data analysis tools
Measuring cybersecurity performance can generate a large amount of data, which can be used for a variety of purposes (e.g., detecting unusual behavior using tools based on machine learning algorithms).
As well as helping to interpret results and identify cybersecurity trends, these tools provide an overview of the health and security of an organization's IT environment.
Cyber performance indicators: going beyond a purely technical approach
Creating a safety culture
Assessing and improving cybersecurity performance involves a whole range of stakeholders: IT teams, of course, but also business managers, users and the management team. All are involved in their organization's security posture, produce indicators and can help reduce the "human attack surface".
Sharing KPIs and dashboards helps create a culture of security. This is a useful way of highlighting the progress and progress made collectively in the field of cybersecurity.
Ongoing training and awareness-raising
Implementing cybersecurity training and awareness initiatives can also support an organization's security objectives. Encouraging users to report malicious e-mails, raising staff awareness of good good cyber hygiene practices hygiene practices during their onboarding, organizing phishing simulations... are all useful initiatives to change behavior and improve security posture.
Cybersecurity awareness programs can also be evaluated on the basis of performance indicators:
- Number of phishing emails reported by users
- Number of safety incidents caused by human error
- Click-through rate for phishing simulations
Performance and KPIs in cybersecurity: what you need to know
- Each organization defines its own cybersecurity KPIs based on its needs and objectives, taking into account its resources and business constraints.
- These KPIs enable you to measure the effectiveness of your safety policy on an ongoing basis, provided you choose them carefully and interpret them correctly.
- Mapping the information system makes it possible to correlate different performance indicators and track their evolution over time.
- Assessing cybersecurity performance is a continuous improvement process. KPIs need to be monitored over time, in particular through the use of data analysis tools.
- To assess their cybersecurity performance, organizations can also move away from a purely technical approach and work on raising employee awareness.
OverSOC can help you integrate these practices to improve your cybersecurity performance: Contact us to find out more.
