10 Metrics the CISO Needs to SUCCEED

Metrics not Mahem

This is the first of a two part ACT series on Cybersecurity Metrics that may be utilized by the organization in their day-to-day program. It will be followed by best practices for ‘the other half”, “5 Metrics the Board Needs to Read”.

The Chief Information Security Officer (CISO) faces a plethora of tasks and objectives to secure valuable and proprietary data frequently dispersed among numerous software and hardware resources. The CISO’s central (unwritten) skill requirement is, ‘problem solver extraordinaire’. But after the initial Sherlock inquiries of, “who, what, when, where and why?” for any cyber intrusion, the CISO must then ask (and quickly determine the answers),

• “How many (systems are affected)?”
• “How much (time has passed since the infection)?”
• “How long (will it take to remediate)?”

While the former set of detective inquiries is organizational, the latter set is operational requiring some means to evaluate and measure. Thus, CISOs approach the problem with the engineer’s goal of, “If you can measure it, you can fix it.”

Enter the requirement for cybersecurity metrics. Such metrics are groups of measurable actions or events that can be quantified and grouped by an analyst to approximate a value which may then be used as the basis for making decisions. General characteristics of metrics relevant to security and business strategy are,

• derived from factual data;
• correlate to an essential issue;
• expressed numerically;
• repeatable;
• adjustable to available resources;
• unique and do not overlap other categories;
• definable and can be prioritized in an action list.

Even though there is great variability in industries, requirements and uses, cybersecurity metrics may still be correlated into general groupings relevant across most sectors.

10 Primary Metrics a CISO Needs to Succeed

1. applications – the number of applications in use, listed in a hierarchical order of importance, or critical need; plus, are there Internet of Things devices attached to the system?
2. vulnerabilities – number of applications with disclosed vulnerabilities, and program of software management to address each defect, sometimes called a patching cadence;
3. reconfigurations – mean time required to effect changes to configurations of vulnerable systems;
4. intrusion attempts – how many breach attempts are incurred over a period of time;
5. mean time to detect – how long it takes to detect actual intrusion events, which may be expressed in # of days;
6. mean time to resolve – how long it takes to initially respond to a breach event and determine a solution, which should be expressed in hours;
7. installing patches – how many hours or days it takes to properly implement specific patches to rebuff the intruder, where these patches were not previously included above in the patching cadence;
8. awareness training – results of employee training vs number of cybersecurity incidents reported over time, a steady increase indicating that training is working;
9. third parties – frequency of access and review of third party access to critical systems;
10. audit leftovers – are there outstanding cybersecurity matters still unresolved from the last assessment or audit?

Best Practices for Metric Reliability:

Organizations routinely rely upon metrics to manage programs and make business decisions. Various metrics may be compared over time to internal data to measure program effectiveness. In addition, metrics may also be compared to known benchmark data from outside sources derived from their industry.

• Logs should be routinely stored and monitored to define system performance and network activity. Thus deviations may be set to activate an alarm or similar notification;
• Responses to alerts should be pre-configured into a Breach Response program;
• Metrics that support security and business objectives should be marked as priority and acted upon to improve system security and business operations;
• Automation should be employed to facilitate information gathering to promote the organizational objectives.

Thus, the CISO may employ best practices to operationalize the metrics into a cybersecurity program for the organization. As the program matures, internal benchmarks for each metric may be developed to determine progress over time. In a similar manner, proprietary benchmarks may be compared to reliable external benchmarks relevant to the industry.  With these data in hand, the CISO may then forward to the directors, ‘5 Metrics the Board Needs to Read’, which will be the subject of our follow-up post.

Commentary by Attorney Timothy F. Mills, Editor / Action Cyber Times™ © 2019 All Rights Reserved.

Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.

Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.