The field of cybersecurity performance management has struggled with the effective use of metrics. While there’s no shortage of things to measure, the most critical aspect – and the one that’s been the most poignantly missing – is context.
When measuring and communicating readiness against ransomware, insider, supply chain or other common threats, a list of gaps doesn't offer the information or context to understand how ready you are and what actions you need to take to improve.
Metrics are designed to measure the performance of a cybersecurity control – but to be effective, they need to be placed in context.
Historically, the main reason context has not been a part of metrics is that it’s very hard to do. Context is based on multiple factors, determined by an enormous number of data points, which come from multiple sources, in many different formats. Even if you aggregate all this data, you would still need to normalize and contextualize it in order to reduce the noise.
For security data, context depends on what you are measuring. And on the set of questions you want to answer.
For example, if you are looking at devices, you will want to understand which are public-facing, which are active, the level of criticality, and if the devices have checked in lately... If, on the other hand, you are looking at users, you will want to understand who has high privileges, who are active, etc.
Only when you have the metric (how well the tool is performing), placed in context (how impactful it is to my overall readiness), plus historical trends (how this control has performed previously), then you get a “storied” big picture, a larger understanding of your readiness, as well as the ability to zoom in on the supporting data.
On the operational level, security teams need to step away from the big picture and zoom in on the supporting data, depending on who they are speaking to.
This is so they can identify exactly which controls and capabilities they should improve to increase their readiness level.
The goal is not to try to close all gaps (at least initially), or to be 100% ready for a threat, but rather to know which gaps, if closed, would make the biggest impact.
A key example – Quantifying Ransomware Readiness
Imagine you want to assess your home’s readiness level for a potential break-in. The first step would be to identify what you have (cameras, locks, alarm,); the second step would be to assess how each is performing, and the third would be to identify gaps and areas for improvement -- this very sequence forms the basis of SeeMetrics' logic for assessing readiness level for a cyber threat.
Here’s how we approach it:
1. We begin by pinpointing the right set of. metrics across different security programs that most significantly indicate threat readiness.
For ransomware, we measure dozens of metrics including
- Phishing Rate / Security Training Completion Rate
- Mean Time to Remediate (MTTR)
- Open Critical Vulnerabilities
- MFA Coverage
- Unpatched Endpoints
- And more…
2. We bake context into the metrics, to provide the level of knowledge to help prioritize risks.
Here, the context refers to the defining characteristics of what we’re measuring.
For example, if we want to zoom in on our vulnerability or identity management programs the last thing you as a security leader need is a statement such as: "We have 300K open critical vulnerabilities" or "3,000 users don't have MFA enabled," because then the question is where do we start and if all vulnerabilities or users are equally important (spoiler: they're not).
Of course throughout this process you can achieve quick wins too – by removing devices that are turned off, ephemeral, or didn’t check in for over 30 days etc. That said, the ability to zoom in helps you to focus on what matters the most.
3. Lastly, we measure everything over time to provide historical trends.
You can compare metrics against your objectives and understand how well you are performing in the context of what happened historically.
To summarize, SeeMetrics’ approach allows you to accurately represent your organizational readiness in real time; to take an easily communicable big picture to your board, supported by data points; and allows your teams to zoom in on the specific metrics. And it bridges the gap between these two conversational directions – between security leaders and their board, and between security leaders and their teams – so they can all speak the same language, in the same context, on the same data.
Finally, the actionable insights help the teams drive a data-driven action plan to improve overall readiness level.
See an example of our Ransomware Board below. And get in touch to learn more!