Cybersecurity Metrics Your CIO Expects You to Know

In today’s landscape, managing your internal security processes as well as creating a third-party vendor risk management program should be top of mind, but prioritizing a solid understanding of the metrics surrounding your cybersecurity programs almost just as important. These metrics should dive deeper than “yes” or “no” questionnaire answers, but should help you gain a more comprehensive understanding of where you and your third parties fall when it comes to proactively mitigating cyber risk.

Where To Start When Tracking Cybersecurity Metrics

1. Number of botnet infections and detection deficit.

This is the top cybersecurity metric that every organization must monitor. By examining how many botnet infections have taken place on your network over a given period of time—and what types of botnets you’ve dealt with—you can better prepare for, and protect against, these types of attacks as well as learn from previous examples.

If your organization successfully tracks botnet infections, you may be able to shorten the detection deficit, or the time between the point of discovery and the point of compromise. In other words, the greater the speed at which you can identify that something is happening on your network and appropriately respond to it, the greater the likelihood of preventing the hacker from getting a foothold in your organization. If you’re able to keep the detection deficit as close to zero as possible, you’ll be in far greater shape.

The problem is for many organizations, fixing a gap between the intrusion and the solution can take hours, days, weeks, or even months to identify and remediate a security breach. By closely monitoring the number of botnet infections that take place on your organization’s network, as well as the time it takes you to remediate those infections, security leaders can take important steps towards managing their security.

2. Percentage of employees with privileged access to corporate information.

Gaining control of an employee’s login information or account access gives a hacker everything they need to take control of a corporate infrastructure and cause significant damage. Knowing who has super-user access and monitoring those individuals closely for internal or external issues is a very important metric for the board to be on top of. This information also will provide you with valuable insight to determine whether you’re providing too many individuals with unlimited network access, so you can reduce privileges to those individuals who actually need it.

3. Percentage of critical third parties whose cybersecurity health is continuously monitored.

Traditional vendor risk management practices only offer you a snapshot view of a vendor’s security posture at a single point in time. Even if you perform audits, penetration tests, and vulnerability scans, you still won’t know what’s going on with your vendors’ security on a day-to-day basis. But continuously monitoring the cybersecurity of your third-parties allows you to look at those you’ve deemed as critical — usually vendors who have access to sensitive data or direct corporate network connections — and determine in real-time how they’re performing. This will allow you to make data-driven decisions about your top-priority vendors.

What Metrics You Should Bring To Your CIO

There are many different metrics that the security team collects to measure the performance and effectiveness of its security program, but only a select number of these metrics hold enough weight to be reported to the C-suite. The cybersecurity metrics for the board should be presented in a language the board understands, and should speak directly to whether your company is taking the right steps toward managing cybersecurity. It may also be helpful put these metrics together into a cybersecurity dashboard that the C-suite can reference on their own.

Below are four key cybersecurity metrics for reporting cyber security to the board:

1. Company performance against your peers.

The top cybersecurity metric for board-level reporting today is how your organization’s cybersecurity performance compares to the peers in your industry. This information is usually easily digestible, visually appealing, and highly compelling, which makes it a top choice for reporting cyber security to executives.

You can gather this metric most easily through a security rating. The example below is a screenshot from the Bitsight Security Ratings platform, which allows you to easily benchmark your security performance against a number of your industry peers and competitors over a period of time.

2. Incident identification and response times.

It is important to differentiate between a vulnerability and an incident. A vulnerability is a flaw that could potentially be exploited, where an incident is an actual exploitation or compromise of a system. Identification and response times are important cybersecurity metrics for the board to understand because it demonstrates the effectiveness of the programs and processes they are budgeting for to protect their cyber footprint.

Cybersecurity programs are measured by how quickly the organization can measure and respond to incidents, because the quicker the programs can eliminate the malware the less damage is likely to be done. Unfortunately, many companies let malware dwell on their network for far too long, which gives hackers a longer opportunity to compromise their systems. This is often because the organization isn’t aware of the intrusion in the first place.

There are a number of different ways to measure incident response rates. You can:

• Use security ratings to get actionable data about an incident right away.
• Identify a security incident on your system, shut it down, and manually record your own response time.
• Learn about an incident through a third party, such as law enforcement, and find out through them when an incident occurs based on their notification systems.

3. High risk findings that are outstanding from recent audits or security assessments.

Whether your last cyber security audit or assessment was done in-house or by a third party, it will typically include a number of suggestions in regards to improving your organization’s cybersecurity posture. The recommendation from the audit committee is almost always to fix any high-risk findings immediately. If any of the high-risk outcomes from the audit have not yet been completed in the time frame recommended, your board should definitely be aware. Including the status of outstanding audit findings are an important cybersecurity metric for the board to have access to.

4. Patching Cadence.

Expanding from just the audit patches, this metric involves determining how many vulnerabilities you have in your system and how many critical vulnerabilities have yet to be patched. When a new update comes out for a system you already have in place, or when you purchase a new software solution, it may have bugs or vulnerabilities that are found post-deployment. Patches for these vulnerabilities become available regularly—but they don’t do any good unless they’re applied immediately. Thus, frequent patching cadence can reduce the number of vulnerabilities in your company’s system.

These four metrics are important for an executive board to consistently receive updates about, especially when determining the right budgeting decisions. It is also important for the executive board, as well as the cybersecurity team to have a few solid metrics for demonstrating the performance of your third-parties.

Key Performance Indicators For Evaluating Each Of Your Vendors

Security professionals also aim to communicate the status of their vendors’ security performance in the form of cybersecurity metrics for the board’s use as well. Similar to the metrics representing the internal security status of a company, highlighted below are the two most important metrics when reporting the performance of third-parties security procedures to the executive team or the board of directors.

1. Amount of time it takes your vendors to immediately remediate vulnerabilities.

Similar to a company’s internal “patching cadence”, this involves determining how many vulnerabilities your vendors have in their system and how many of these are critical and/or have yet to be patched.

For instance, one of your third-parties may purchase and deploy a new piece of software, which could have a number of vulnerabilities that the software company releases patches for. It is critical for you to monitor how quickly your vendor is able to patch each of these vulnerabilities because leaving vulnerabilities unpatched can increase the likelihood of your sensitive data your vendor is connected to being exposed.

2. Time it takes your vendors to respond to security incidents.

A security incident is an actual exploitation of a system — not just the threat of it. So you will be concerned with how quickly your third parties are able to identify threats and respond to them appropriately. Not surprisingly, the longer it takes for these incidents to be shut down, the greater the chance that your data will also be compromised.

The catch here is that virtually no third-party will want to provide you with these metrics. They may not be tracking this metric themselves, or they could be performing poorly and don’t want to share that with you. Typically when you use traditional vendor monitoring methods, there are a limited number of things you can understand about a third-party’s cybersecurity effectiveness. You can view recent audits, conduct vendor risk assessments, perform on-site interviews, and review documentation, but these methods take time and are completely subjective.

Having a tool like Bitsight Security Ratings that is able to alert you to potential security incidents when they happen is highly useful — not only for your vendors, but for your company and board of directors as well.

This piece has been modified since its original posting in September of 2018. It has been updated to include up-to-date information on Bitsight, our security ratings, and the cybersecurity industry.