Establishing organizational and security operations metrics improves management and reduces company risk
An organization's ability to discover and reduce risk in a more preventative manner rests heavily on having clear cybersecurity and security operations metrics.
Understanding the overall security posture of your enterprise is determined by creating a baseline of select organizational and security operations metrics. With baseline numbers established, you can then begin to increase visibility, education and improvement to both technology and processes within your program. Metrics should be garnered from critical assets with risks and improvements presented to key stakeholders within the organization. These metrics help determine where particular areas of a program are running smoothly and where additional insight should be applied.
Defining the cybersecurity metrics that matter to your organization
Start by understanding your organization's critical assets. This could include everything from sensitive customer data and company IP to users and devices. I almost always suggest starting with anything compliance-related or having to do with public assets. These are the areas where you should be building metrics first. Ultimately, you're looking to measure your ability to effectively and proactively secure your company's most valuable assets. Ensuring visibility into these areas first is vital to identifying lapses in performance that could compromise security and triggering response to get processes back on track.
After you've identified what needs to be monitored, you need to start collecting information and determining what data points are available. The process for collecting metrics is an important discussion item, since we want to limit as much manual effort as possible. Determining what information to collect and how you'll gather and analyze this data is a crucial step in your metrics journey. You'll also want to gut-check your identified metrics with a risk-based team, if available, to determine prioritization of the remediation efforts when those needs arise.
Baselines set the stage for goal-setting and measuring progress
Creating baselines is what you’ll use to determine the current cybersecurity maturity of your organization overall as well as your SOC. Baselines also help you identify any outliers or blatant concerns which require urgent attention. By creating this foundation and setting standards reflecting what’s normal within your organization, you create a basis for setting goals and milestones. Included in your baselines should also be an understanding of industry standards and your organization's appetite/tolerance for risk. Without these, identifying future goals is destined to be a fruitless exercise.
As an example, let's say you set a goal of having all Windows systems patched within one week of new Microsoft patches being released. To set this as an effective goal, you would need to have already done the following:
- Baseline the current state of your patching performance - what is the current time frame for new patches to be applied?
- Understand your organization's risk tolerance - how long are unpatched systems acceptable?
Only by understanding these elements can you determine if a one-week patching window is actually a good, reasonable, achievable goal.
A strong cybersecurity metrics program requires stakeholder buy-in
The first step in building your enterprise cybersecurity metrics and security operations KPIs is setting clear direction as to what you're collecting and why. You’ll need true vision and stakeholder buy-in on a defined path forward. Throughout my career, I've seen groups attempt to get stakeholder approval first - without having a plan, vision and long-term strategy. The result of this approach has been a barrage of questions and little in the way of support. Particularly when soliciting buy-in from executive leadership, you'll reduce the friction and expedite approvals by clearly articulating a solid plan and the concrete role their support plays.
Outside the executive suite, some stakeholders may feel a metrics program adds pressure to their departments because of the added visibility into their day-to-day operations. No one enjoys feeling like another group within the organization is "keeping tabs" on them. Building and presenting your program to alleviate this concern is paramount to minimizing pushback. I've found that framing the process and rationale as a way to assist with tightening processes and technology for the organization as a whole is often a good starting point. Also go in prepared with a clear outline of stakeholder roles and responsibilities. You'll need to answer questions like:
- If an issue is determined via the metrics what is each stakeholder's responsibility with regard to remediation efforts?
- How will information be reported to them?
- Will there be SLAs in solving and correcting concerns within the metrics?
Keep in mind - where you start as far as securing stakeholder approval also matters and is highly dependent on the culture of your organization. In some cases, starting at the top of the stakeholder chain makes it easier for other stakeholders to follow suit. Other organizations have better luck with a bottoms-up approach, getting buy-in from those responsible for ensuring progress and then getting a final thumbs up from the C-suite.
Get ready to report, analyze and improve your cybersecurity metrics
Once your cybersecurity metrics program is in full swing, you’ll have to aggregate the data you collect to output metrics reports. The reports should be sent to stakeholders with a clear representation of what’s being measured, its priority, what its baseline was and how it’s changed over time. Producing these reports requires analysis to get a full understanding of the numbers have the ability to explain progress, shortfalls and fluctuations.
Be prepared for your reports to take into account exceptions, adjusting variables and areas where combining data may muddy the waters. Often, these arise from manual and inconsistent processes. The ability to automate response and remediation processes can limit skewed metrics, streamline reporting, improve predictability and allows for better data hygiene when speaking with stakeholders.
Your deltas between a current metric and the established baseline - either positive or negative - will show change within your organization and should be reviewed by your key constituencies. Positive improvements should get just as much attention as negative metrics to applaud the hard work of those who are improving the security of the organization. Not only can this go a long way with building confidence with stakeholders, but metrics improvements in one area can shed light on how to make improvements in others.
Metrics are an important part of your cybersecurity and security operations programs and being able to measure your progress shows how well your security program is functioning. Having key stakeholders brought to review your vision and strategy will assist with getting other teams to cooperate in your data collection. The more you can automate metric collection as well as in broader security operations processes, the quicker you can respond and produce reports.