By Hunter Donahue
Defining the metrics needed to accurately evaluate your company’s security posture can be the difference between having an effective security program and having unwarranted confidence in your security program. Not only are these metrics critical in ensuring you’re well-postured to contend against malicious cyber adversaries, but these metrics are also central in communicating your resource requirements to leadership.
Here are a few suggestions for cybersecurity metrics that should be tracked within your organization:
#1- Days to Patch
It takes on average 38 days for organizations to patch security vulnerabilities according to tCell. These security gaps can exist even longer when the vulnerability isn’t rated as critical. Operating system and software patching remain an important part of maintaining your security posture.
Our suggestion: Prioritize patching and incorporate your organization’s effectiveness in patching processes as a key metric that leadership routinely is briefed on.
#2- Number of Known Vulnerabilities
With high numbers of known and unknown variables targeting organizations, understanding your own threat profile is critical. Validating vulnerabilities affecting your assets and understanding the layers of your vulnerability mitigation solutions provides a deeper insight into where to invest resources.
Our suggestion: Perform regular vulnerability scans to best identify the appropriate efforts needed to improve the security posture of your company.
#3- Number of Users with Administrator/ Critical Asset Access
Exceptions are often granted across the enterprise to allow for employees to more easily collaborate, access documents and information, or other necessary changes without having to involve IT administrators. This could include providing local administrator rights or privileged access. Many organizations are challenged with managing privileged access and often times issue users local administrator privileges or total access to corporate resources which results in a wide variety of issues and significant increase attack surface.
Our suggestion: Evaluate the access levels of all users and adjust them as needed by limiting or blocking any “super user” or administrator privileges that do not fit your risk appetite. Users should be restricted from accessing documents or resources unless they’re immediately necessary for the task at hand, and things outside of that should require an exception from a supervisor.
#4- Users Security Policies
How often do your users have to change their password, and how strong must these passwords be? Do you enforce a Multi-factor Authentication (MFA) solution for employees on company equipment and services? Can everybody use the printer? These are just some of the user security policies you should use to analyze, categorize, and seek improvement in your overall security program.
Our suggestion: Categorize employees access based on department, job tasks, proximity to confidential or sensitive materials, and align their security expectations to an appropriate level of risk. Couple this with routine (and engaging!) training requirements for users to better understand why these measures are in place and reinforce their role in keeping your enterprise safe from cyber threats.
#5- Mean Time to Detect and Mean Time to Respond
Mean Time to Detect (MTTD), or the average time it takes to discover a security threat or incident, and Mean Time to Respond (MTTR), or average time it takes to control and remediate a threat, aid immensely in analyzing your cyber resiliency. Lackluster MTTD and MTTR rankings lead to higher breach costs. According to the Ponemon Institute's Cost of a Data Breach Report, the average breach cost companies $43.86 million.
Our suggestion: Knowing the effectiveness of your detection and response capabilities allows you to measure the success of your incident response plan and provides a baseline for improvement in the mitigation of potential damage by malicious actors. The success or failure of your security program can hinge on these metrics, so aim to formulate strategies and make it an organizational priority to improve these numbers.
#6- Vendor/ Partner with Cybersecurity Policies
Vendors and business partners are often neglected when organizations evaluate their security posture. Without assessing their security controls, you can never truly assess your own. It’s likely that your network of vendors and partners have some level of established trust or federation with your corporate enterprise. This in turn opens up potential vulnerabilities that need to be evaluated.
Our suggestion: Create a rating system that ensures your vendors and partners have an effective security program, including a vulnerability discovery and mitigation plan, before entering into a formal partnership. Successful organizations often evaluate 3rd parties though security questionnaires or other requirements such as frameworks like NIST (National Institute of Standards Technology) Cybersecurity Framework, CIS Critical Security Controls, or accreditations such as ISO 27001, FedRAMP, HITRUST and PCI DSS. Provide partners and vendors with limited access to your internal infrastructure to best isolate any potential collateral damage should a vendor or partner get breached. Inform all vendors and partners of your own security policies, and work in tandem, with frequent communications, to improve your collaborative security efforts.
These are just a few of the metrics you can use to better grasp the entirety of your security posture. Companies that use indicators of compromise and other analytics specific to their threat profile are better positioned against cyber-attacks, can more easily quantify their risks, and benefit from improved cyber resiliency. Incorporating these metrics into security dashboards and processes enable more informed decisions around your organization’s security posture and support the necessary conversations with leadership.