It’s important for chief information security officers (CISOs) to track certain metrics to gauge the efficiency of their SOC, and to see how effectively they’ve achieved their goals. This helps them perceive how the security function has progressed in each of the metrics over time. Cybersecurity KPIs will also help CISOs benchmark against industry standards and understand critical areas of improvement.
Tracking these KPIs can also help CISOs communicate clearly with the board. Providing insights on key metrics will help CISOs obtain the necessary budget funding and help them decide how to utilize the budget efficiently.
So, let’s take a look at each of these metrics and what insights you can gain by tracking them.
-
Incident rate: Are the number of incidents reducing month-to-month? If so, by how much? Tracking this will help CISOs measure the effectiveness of their detection technologies such as SIEM.
-
Breach likelihood: What’s the probability of a breach with the current security controls in place? If the estimated number of likely breaches were to occur, what would the breach impact be?
-
Cost per incident: What is the total cost associated with a security incident within the organization? Is it greater or lesser than the industry standards? This will tell CISOs if they’re on the right track or if a course correction is needed to reduce the costs.
-
Risk exposure: What’s the status of their risk exposure, taking into account breach likelihood and impact? Tracking these can help CISOs achieve budget approvals, and prevent undesirable attacks.
-
Severity level of a breach: On a scale of 1-5, how severe are the breaches? How many breaches exceed level three? Tracking these will give CISOs a true reflection of their organization’s security posture.
-
Mean time to detect (MTTD): How quickly is the security team detecting threats? Can the organization reduce its MTTD by investing in a SIEM solution to foil cyberattacks swiftly? If the organization already has a SIEM solution, has its MTTD improved?
-
Mean time to respond, recover, and resolve: What’s the average time to respond, recover, and fully resolve a security incident? Tracking this can help CISOs identify if their mean time to respond, recover, and resolve incidents is getting better with time. This will reflect the performance of their team and their SIEM solution.
-
Mean time to patch (MTTP): How quickly is the security team implementing patches to vulnerable software and applications? Quicker implementation from the security team leaves fewer incidents for CISOs to worry about.
-
Level of security maturity: CISOs should use cybersecurity frameworks to determine their organization’s security maturity level. Identifying this can help them develop a plan to elevate their security maturity to a higher level.
-
Percentage of users not using MFA: How many users are not using MFA? Is this number decreasing month-to-month? Tracking this can help organizations prevent cyberattacks.
-
Frequency of backup: How frequently do the organizations back up their data? If an attack were to occur tomorrow, what would be the extent of its impact on their business? How soon will they be able to resume operations?
-
Percentage of watchlisted users: CISOs should know how many risky users are in their organization and who they are. Is there a decrease in this percentage month-to-month? If an employee were to attempt an insider attack, would their SIEM solution be able to identify and thwart it in real time?
-
ROI: Is the CISO observing a positive ROI from their security spending? Tracking this will positively impact their board’s future security budget approvals.
To learn more, read our e-book: CISO handbook: Cybersecurity metrics, budgeting, and leadership.
