Blog

Confidential data protection is of key importance for any company. Any information leakage can lead to devastating consequences: damage to reputation, financial losses, market positions loss, customer churn, etc. The internal cybersecurity system must provide reliable data protection, as well as be proactive – detect and prevent cyberattacks in time.

To track cybersecurity level, it’s necessary to have a checklist and analyze KPIs. Key Performance Indicators (KPIs) are an effective way to measure the success and effectiveness of any program, including cybersecurity. It is impossible to assess the real state of security and protection level without analyzing the operation of the cybersecurity system.

Cybercriminals evolve dynamically and constantly come up with new and more sophisticated methods of attack. Accordingly, processes and technologies for their prevention are changing. It is important to regularly evaluate the effectiveness of protection tools and timely replace and/or update obsolete tools.

Analysis of key performance indicators (KPIs), key risk indicators (KRIs) and security measures allows to get a complete picture of security team work, understand what is working and what doesn’t work, and take appropriate actions. Metrics provide quantitative information that can be easily compiled into a report and shared with all stakeholders.

Cybersecurity key performance indicators:

• Level of preparedness – determining the number of serviceable and updated devices, scanning for vulnerabilities and managing them;
• Unidentified devices on internal networks – network intrusion detection (employees can increase cyber risks and pose a threat using their own devices and poorly configured IoT devices);
• Intrusion attempt – the number of attempts by intruders to gain unauthorized access;
• Security incident – the number of information assets breaches and/or network breaches;
• Mean time to Detect (MTTD) – the time at which security threats go unnoticed (i.e., the metric shows the time required for specialists to detect a threat);
• Mean time to resolve (MTTR) – the average response time of specialists’ team to a cyberattack, determines the quality of the incident response plan implementation;
• Mean time to contain shows the response time of the company and the ability to measure its cybersecurity state;
• Security ratings – assessing cybersecurity risks, identifying information security indicators that require attention;
• Average safety rating of third parties;
• Patching Cadence – time to implement application security patches and/or fix high-risk vulnerabilities;
• Access control and access analysis (which user has administrator rights);
• A measure of third-party risk and potential vulnerabilities;
• Time of third-party response to an incident. A security incident is a successful cyberattack. However, the target can also be a company that cybercriminals are trying to gain access to through a third party. The longer a partner takes to respond to an incident, the more likely the company is to suffer from a data breach.

There is no general decision on which metrics to use. Each company chooses KPI and KRI depending on the field of activity, company needs, rules, guidelines, management’s vision of risks, etc. It is important that the selected metrics are understandable to everyone, including non-technical specialists, reflect the current situation and help make decisions regarding company cybersecurity.