CTO at Rapid7.
getty
Making sure your business gets a solid return on its investments—from technology to people to services utilized—is one of the fundamental principles of achieving long-term success. Even the most capital-rich organizations will face bankruptcy eventually if cash flow management goes awry. Certainly, the current economic climate poses increasing risks and pressures, too.
Unfortunately, when it comes to cybersecurity, many enterprises seem to have lost sight of ROI around purchasing decisions. Gartner predicted more than $172.5 billion would be spent on cybersecurity in 2022 and forecasts that total to be more than $267.3 billion by 2026. But despite the vast sums flowing into the industry, we have found that only a tiny percentage of firms have put proper targets in place to track whether their investment in cybersecurity is actually keeping them secure.
Key performance indicators (KPIs) are a fundamental tool for measuring return on investment. Every business asset and activity can be measured against predefined targets to ensure they perform as expected. Benchmarking will help ensure that performance improves over time.
Introducing strong KPIs around cybersecurity will help to operationalize activity, bringing security in line with other business processes that have long been defined by benchmarks and targets. Not only will this help to guide cyber spending and help deliver ROI, but it will also go a long way to improving the company’s security level.
Why Cyber KPIs Are Important
Without clear targets and metrics to guide their security spending, firms risk wasting vast amounts of capital on new cyber solutions and service contracts that provide little return.
We often find enterprises stuck in a vicious circle of “rip and replace” where they feel that their security stack is underperforming and will opt to tear up and replace large swathes of it every few years. The decision is often made with little to no actual data because security was not correctly operationalized.
This can be extremely wasteful as most of the security budget is pumped into capex to purchase new tools and set up new contracts. It can also increase the firm’s risk exposure as the security team is diverted by the need to understand new technology and processes.
KPIs are crucial for avoiding this inefficient cycle by demonstrating how security assets and activities are generating value for the business. Having an effective set of targets will enable CISOs and their teams to more easily communicate security priorities and effectiveness to the board and other stakeholders inside and outside of the organization.
Properly operationalizing cyber activity will also help the organization progress with its security maturity, moving on from the initial reactive approach to a more proactive stage of continuous improvement.
KPIs serve as critical indicators to help both security personnel and non-technical business stakeholders understand how their security controls function over time. An effective set of metrics and targets will clarify which security programs are working and which areas need more attention, as well as put cyber issues into a business context.
Keeping Connected With Business Outcomes
Context is crucial. When measuring security outcomes, it’s too easy to get swept up in the stream of data available. Each security tool in the stack will offer up its endless fount of information about how many cyber threats it has detected and prevented.
However, data alone does not make for good performance measurement. To be truly effective, KPIs need to be linked to specific and measurable outcomes that relate to business objectives. This will help translate the flow of security data into something that non-technical decision-makers more easily understand.
The average time it takes to respond to an immediate threat is somewhat useless by itself, for example. But put into the context of how these timeframes influence the likelihood of critical systems going down and operations being interrupted, and the figures become far more important.
Drawing a clear line between these metrics and their impact on the business will help to validate security activity and enable continuous improvement as both cyber threats and business priorities change.
Getting Started With Security KPIs
No universal set of KPIs can be applied to every business by default. Instead, each firm needs to define its metrics and targets based on its unique risk exposure, security maturity and business priorities.
However, there are broad subsections for security KPIs that every organization should theoretically follow: culture, measurement, accountability, process, resources and automation.
Measurement is perhaps the most obvious, relating to security capabilities around identifying, protecting, detecting, responding to and recovering from cyber threats. KPIs in this area should focus on protecting the most critical areas of the business and will cover capabilities such as the time it takes to detect and respond to incoming threats.
Culture is equally important, however, as this will help ensure that everyone in the organization takes security seriously. KPIs here will measure how personnel across the business think and act about security. Metrics here could include performance around human-centric threats like phishing and best practice around data and password security. Cultural KPIs need to involve personnel at all levels and departments of the organization. For example, efforts to improve phishing awareness should be a collaborative effort between security HR and involve the entire workforce.
Getting culture and measurement KPIs right will create a solid foundation for developing other areas. As an organization’s security maturity increases, it can build on this base to implement more advanced KPIs such as automation.
With an effective set of KPIs, enterprises can finally bring their security capabilities in line with the rest of their operations. Not only will they be more confident that their increasing security spending is providing ROI, but they will also have the best chance of seeing off any incoming cyber threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
