登录查看更多内容

How can you measure the success of a cybersecurity transformation?

由人工智能和领英社区提供技术支持

Cybersecurity transformation is the process of improving and adapting the security posture, capabilities, and culture of an organization to cope with evolving threats, regulations, and business needs. It involves aligning the security strategy with the business objectives, implementing best practices and standards, enhancing the security skills and awareness of the workforce, and leveraging the latest technologies and tools. But how can you measure the success of a cybersecurity transformation? Here are some key indicators and metrics that can help you evaluate and communicate the progress and value of your cybersecurity transformation.

此文章中的业界达人

由社区从 8 条内容中精选。了解更多

Surinder S. Rait

Head of Global IT Security Assurance at Ericsson
Vineet Kakkar

Cybersecurity Strategy | IT/ Cybersecurity Governance | IT Risk Management | Cyber Risk & Resilience | AI Governance |…
Henrik Parkkinen

Information Security Officer | Globally recognized cybersecurity leader | 40 under 40 in Cybersecurity | Governance &…

1 Security maturity level

One way to measure the success of a cybersecurity transformation is to assess the security maturity level of your organization. Security maturity refers to how well your organization can identify, protect, detect, respond, and recover from cyberattacks, as well as how it can continuously improve its security processes and performance. There are various frameworks and models that can help you measure your security maturity, such as the NIST Cybersecurity Framework, the ISO/IEC 27001 standard, or the CMMI Cybermaturity Platform. By using these frameworks, you can benchmark your current state, identify gaps and weaknesses, set goals and priorities, and track your improvement over time.

添加您的观点

Jeevan Badigari

Head of Cybersecurity | Security Leadership | Passionate about Protecting
(已编辑)
举报内容
While ISO 27001 and CMMI maturity are broad and cover wide range of areas. They don’t necessarily indicate cybersecurity maturity in technical terms. For example ISO scope can be reduced to specific function or department. If an organization is starting cybersecurity function or at initial stage, it is important to look at some technical controls such as CIS Controls which offer grouping of IG 1 (essential - hygiene ) , IG2 and IG3 which offer prioritized, simplified , descriptive controls and best practices that will enhance the posture and strengthen the defenses.

已翻译

赞
JIMMY LEE

Community Top Voice | Tech Enthusiast | Innovative and Strategic | High-impact Performer
举报内容
Quantitative and qualitative metrics can both be used to help measure the success. For instance, reduced incidents, improved threat detection and response time, reduced costs, enhanced awareness of employees, and adaptability of the system being able to incorporate new technologies to handle threats.

已翻译

赞
Surinder S. Rait

Head of Global IT Security Assurance at Ericsson
举报内容
No matter which framework organization choose, the effectiveness depends on the management commitment and the implementation of this framework. Define clear mandates, requirements, risk appetite and clear measurement criterias (KPI's) to measure the effectiveness which everyone in the organization is committed to. Establish governance and create a continous improvement with PDCA lifecycle.

已翻译

赞

2 Security risk exposure

Another way to measure the success of a cybersecurity transformation is to evaluate the security risk exposure of your organization. Security risk exposure refers to the potential impact and likelihood of cyberattacks on your organization's assets, operations, reputation, and compliance. By conducting regular security risk assessments, you can identify and quantify the vulnerabilities and threats that affect your organization, and prioritize the mitigation and remediation actions. You can also use security risk metrics, such as the number and severity of incidents, the time to detect and contain breaches, the cost of recovery and remediation, or the compliance status and fines, to measure and communicate the effectiveness and efficiency of your security controls and response.

添加您的观点

Mohammad Talha Omer

Manager SOC | Cybersecurity Consultant | Networks Security Architect | Fortinet & Paloalto Certified | Cyber-Awareness Trainer | LogRhythm & IBM QRadar SIEM, XDR, Firewall, WAF Administrator.
举报内容
The success of a cybersecurity transformation can be measured by a reduction in security incidents and compliance adherence, enhanced detection and response capabilities, efficient patch and vulnerability management, improved user awareness and training, reduced downtime, cost savings, increased security maturity, specific KPIs tracking, customer and stakeholder confidence, incident recovery time, positive security audit results, employee satisfaction, threat intelligence integration, and the ability to maintain business continuity. Monitoring these metrics helps organizations assess the effectiveness of their cybersecurity efforts and make informed adjustments to strengthen their security posture.

已翻译

赞
Surinder S. Rait

Head of Global IT Security Assurance at Ericsson
举报内容
- In my view, creating a realtime visibility helps in the overall risk management lifecycle - Must define risk appetite so that the organization knows the boundaries e.g. if my asset registration for internet facing asset is at 20% and my target is 100% than i know overtime how effectively we are mitigating our risk and reducing the exposure - Effective governance through management commitment is the key to success.

已翻译

赞

3 Security culture and awareness

A third way to measure the success of a cybersecurity transformation is to monitor the security culture and awareness of your organization. Security culture and awareness refer to how your organization's leaders, employees, partners, and customers perceive, value, and practice security in their daily activities. By fostering a positive and proactive security culture, you can increase the engagement and accountability of your stakeholders, reduce human errors and insider threats, and enhance the resilience and trust of your organization. You can measure and improve your security culture and awareness by using surveys, quizzes, feedback, training, campaigns, or gamification, and by tracking metrics such as the participation rate, the knowledge level, the behavior change, or the satisfaction score.

添加您的观点

Surinder S. Rait

Head of Global IT Security Assurance at Ericsson
举报内容
While you measure the effectiveness identify the root cause. This will give a clear picture of how the culture of the organization is when it comes to security. In my personal opinion trainings can improve the skill and competence but not build culture. Culture is when people follow the process without anybody policing them.

已翻译

赞

4 Security innovation and agility

A fourth way to measure the success of a cybersecurity transformation is to gauge the security innovation and agility of your organization. Security innovation and agility refer to how your organization can leverage the latest technologies and tools, such as cloud, artificial intelligence, automation, or blockchain, to enhance its security capabilities and performance. By adopting a security-by-design and security-by-default approach, you can integrate security into your development and delivery processes, reduce complexity and costs, increase speed and scalability, and enable new business opportunities and value propositions. You can measure and demonstrate your security innovation and agility by using metrics such as the time to market, the return on investment, the customer satisfaction, or the competitive advantage.

添加您的观点

5 Security alignment and value

A fifth way to measure the success of a cybersecurity transformation is to verify the security alignment and value of your organization. Security alignment and value refer to how your security strategy and initiatives support and enable your business objectives and outcomes. By aligning your security vision, mission, and goals with your business strategy, you can ensure that your security investments and activities are relevant, justified, and prioritized. By communicating and showcasing the business value of your security efforts, you can increase the awareness and appreciation of your stakeholders, and demonstrate the contribution and impact of your security function. You can measure and report your security alignment and value by using metrics such as the revenue growth, the cost savings, the customer retention, or the brand reputation.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Vineet Kakkar

Cybersecurity Strategy | IT/ Cybersecurity Governance | IT Risk Management | Cyber Risk & Resilience | AI Governance | BCP/DR Planning | Compliance (SOX, ICFR, ITGC) | Data Privacy | Third-Party Risk Management (TPRM)
举报内容
Focus on key indicators like a reduction in security incidents, faster response times to threats, improved employee cybersecurity awareness, and compliance with industry standards. Additionally, positive audit results, enhanced threat detection capabilities, and increased stakeholder confidence are crucial metrics that reflect the effectiveness of the transformation.

已翻译

赞
Henrik Parkkinen

Information Security Officer | Globally recognized cybersecurity leader | 40 under 40 in Cybersecurity | Governance & Strategy | Leadership | GRC | HenrikParkkinen.com | CISM, CRISC, CISA, CGEIT, COBIT, CCSK, SABSA SCF
举报内容
Create a cybersecurity transformation index and build it up with indicators relevant and which stand in relation to your organization. Correlate your cybersecurity transformation activities with your organization’s business objectives to showcase the value of your transformation program. Engage with your business stakeholders, on a periodic basis, and evaluate the index and indicators. Adjust them together if needed and also consider to adjust and adopt the transformation plan if needed. This could for example be necessary if external events take place, which you cannot control, but need to take into consideration. Example geo-politics, emerging risks, global mega trends, cyber threats.

已翻译

赞

IT Strategy

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How can you measure the success of a cybersecurity transformation?

1

2

3

4

5

6

1 Security maturity level

2 Security risk exposure

3 Security culture and awareness

4 Security innovation and agility

5 Security alignment and value

6 Here’s what else to consider

IT Strategy

给文章评分

感谢您的反馈

更多IT Strategy相关文章

更多相关阅读内容

How can you measure the success of a cybersecurity transformation?

1

2

3

4

5

6

1 Security maturity level

2 Security risk exposure

3 Security culture and awareness

4 Security innovation and agility

5 Security alignment and value

6 Here’s what else to consider

IT Strategy

给文章评分

感谢您的反馈

查看其他技能