Everything can be measured these days, and IT security is no different. That presents a paradox for InfoSec teams. Under-analyse, and you could be ignoring critical vulnerabilities. But look into every nook and cranny of your operation, and you can soon drown under the weight of too many data points.
This conundrum becomes more profound for startups and scale-ups. They typically lack the resources to easily uncover insights, or take action against everything they find.
The answer is to be selective. Don’t track things just because you can. Instead, define a set of core KPIs that are fundamental to your business' data security strategy, and that you can impact with the tools at your disposal. Other metrics shouldn’t be overlooked entirely, but aggregated and investigated less frequently. (And then promoted to core status later, if warranted.)
Here we look at some common cybersecurity KPIs that should be of interest to a startup. For the purposes of simplicity, we have grouped these into themes.
The first step in securing data is to know what you have. This is known as the ‘Sensitive Data Footprint’, and is a record of what information your organisation holds, how confidential each item is, where it is stored, and who has access to it.
Though it is not a KPI in itself, focusing on the data layer of your business can give you metrics that can be tracked, such as: the number of unclassified documents or datasets; the number of employees with ‘super user’ access level; and how long that sensitive data is stored for before being erased.
There are a range of KPIs that look at how well protected your technology infrastructure and software is. These include: the number of systems with known vulnerabilities; the number of SSL certificates configured incorrectly; and the number and nature of data integrations between different systems.
One of the biggest threats to IT security comes from within. Understanding the level of internal risk can be achieved by looking at: the number of unknown devices on a network; how long it takes to deactivate a former employee’s access; the volume of data transferred within the corporate network; and adherence to training requirements and policies.
A sure fire way to understand and improve your SaaS security posture is to identify any trends in the threats posed. Metrics that help with this are: the number of intrusion attempts; how many successfully breached your defences; and the nature of these attacks (i.e where they originate, what vulnerability they are designed to expose, and what impact they are meant to have).
Healthy relations with suppliers and third-parties can soon backfire if their weak security posture leaks into your own environment. This can be tracked by measuring: third-party cybersecurity policies and certificates; third-party access rights to systems and information; and the frequency, ease and efficacy of software patching schedules.
How fast you respond when a vulnerable event occurs is key to know. There are a number of metrics to measure this, most notably: Mean Time To Identify (MTTI) - how long do security threats go unnoticed? Mean Time To Respond (MTTR) - how fast remedial action is taken? And Mean Time To Contain (MTTC) - how long it takes to stop the threat across all users and endpoints?
Security KPIs can also come in the form of progress reports against specific plans. This can be especially helpful for startup InfoSec teams that are focussed on laying the foundations of their operation. These can include: team vacancies filled; number of employees trained to a particular standard; publication of new (or reviewed) security policies; and completion of onboarding and integration of new security tools.
InfoSec teams must also consider how to communicate their KPIs and progress against them. Once again, this can be more challenging in a startup, where the pervading narrative is often about sales and growth. So how can InfoSec teams present their KPIs so they cut through?
That depends on the audience. Different stakeholders will need different strategies.
For example, senior leaders will be more interested in the overall security posture of their organisation. They will want to see metrics that illustrate how they compare to industry standards, and how (if at all) things are improving.
These executives also hold the purse strings, so choose KPIs with future budget requests in mind. Explain how a new piece of software or extra headcount can shift the needle on a KPI. Executives are also time-constrained, so how you present progress against KPIs is crucial. Charts and illustrations are often more digestible than reams of words. Vocabulary matters too. Technical jargon, or statistics presented without context, are easy to ignore.
Better still, if you can give executives control. Give them a dashboard of your KPIs, so they don’t have to rely on your team to provide what they want to know. And make it easy for them to drill down, so those who want a more forensic understanding of any aspect of security can see it.
Employees need a different approach. Here, the role of security KPIs is to hone in on, and show progress against, specific behaviours. So the first question for SecOps to wrestle with is what behaviours they want to see.
The next is to appreciate that KPIs are not simply a reporting mechanism, but can also influence behaviour. For example, data loss prevention software such as Metomic communicates compliance and errors at an employee level, in real time. It doesn’t take too much more to gamify that analysis, and reward individuals who are supporting progress to KPIs. Not everyone may care enough about the organisation’s overall security posture, but most care about their career prospects.
Approached logically and with empathy for different audiences, KPIs do not need to be daunting tests of accountability for SecOps teams. Rather, they should help to elevate the security agenda with executives and employees alike.
Choose the right KPIs, and use them to engage and shape behaviours as well as to measure, and they go from performance indicators to productivity influences.