What do you do if your Cybersecurity executive's success metrics and indicators are falling short?

Most Cyber Security KPIs in my career have fallen short due to the KPIs measuring the wrong thing. KPIs tend to measure other organizations, such as IT, then the actual cyber security program. With KPIs the first question we should be asking is what are the KPIs used for. Assessing staffing model, assessing skillsets, assessing visibility. These are the KPIs that are really needed to improve and drive decisions in executives. Producing numbers such as, number of detections, number of incidents, vulnerability data, risk metrics. Do nothing for saying how the cyber security team. Layout the intent of what the metrics are going to be used for and ensure you are really measuring Cyber Security Efficacy. Drive for Change

Don't hesitate to pivot strategies to ensure success, consider aligning KPIs with organizational goals. Engage stakeholders for feedback and recalibrate as needed. Remember, it's about adaptability and continuous improvement.

When assessing KPIs and metrics, the key question is: What decisions can or should management make based on these metrics? Have I defined a target/threshold value within which the metric is okay for me? If I cannot answer both questions or cannot answer them completely, the metric is probably useless.

Executive cyber reporting is hard to accomplish: language barrier between tech & business; complexity, dispersion and lack of integration of solutions’ telemetry; no guidance against multiple concurrent risks; and, above all, the absence of a "single source of truth”. Companies typically adopt external cyber risk rating, management consoles from several vendors (EDR, SIEM, IPS,…), cyber threat intelligence insights and (seldom) custom dashboards. Brave ones try complex and never-ending risk management platforms (Archer, Open Pages, SAP Risk Mgt.). My recommendation: threat detection, investigation & response (TDIR) platforms that enable a 360o view of digital risk from multiple sources, such as Crowdstrike Falcon or EagleSight by MNEMO.

Are the current KPIs (Key Performance Indicators) still relevant to the organization's security goals? The cybersecurity landscape is dynamic, and yesterday's benchmarks might not reflect today's threats. Things to ask yourself: - Have our security priorities shifted in recent months? - Have new regulations or compliance requirements emerged? - Do the current KPIs encompass critical areas like incident response times, phishing simulation success rates, or vulnerability patching timelines? Cybersecurity KPI industry standard: 1. Level of Preparedness 2. Unidentified Devices on Internal Networks 3. Intrusion Attempts 4. Security Incidents 5. MTTD 6. MTTR 7. MTTC and quite a few.

Conduct an RCA: 1. Identify Trends 2. Brainstorming sessions 3. Data analysis 4. Security assessments Develop action plan: Once you understand the root causes, you can develop a targeted action plan to address them. 1. Implement zero-trust security model 2. Invest in better technology 3. Employee Training and Awareness 4. Resource Allocation Communicate the findings to the top management. Remember, cybersecurity is an ongoing process. Regularly monitor your KPIs, conduct periodic security assessments, and adapt your strategies as needed to maintain a robust security posture in the ever-evolving threat landscape.

After verifying metric relevance in our cybersecurity strategy, we delved into a root cause analysis. We identified shifts in threat landscapes and internal process inefficiencies as key factors. Developing a targeted action plan involved enhancing security protocols, adopting new technologies, and providing additional team training. Addressing these underlying issues bolstered our defenses and improved our overall cybersecurity posture.

For each metric that is falling short, conduct a root cause analysis to understand why. Consider factors like changes in the threat landscape, resource constraints, implementation challenges, or misalignment of tools and processes. Engage with key stakeholders across the organization, including IT, operations, and business units, to gain insights into challenges and barriers they face that might impact cybersecurity performance.

Pinpoint the main vulnerabilities or inefficiencies within your current cybersecurity framework. Develop specific, achievable actions for each identified issue. Ensure each step is practical and well-defined. Arrange the actions in order of their potential to enhance security and the resources they require. Establish deadlines for each action and delegate tasks clearly to ensure accountability. Share the action plan across the organization to encourage a united and informed approach to implementation.

Establish clear, measurable, and achievable goals for improving each underperforming metric based on the insights gained from the diagnostic phase. Evaluate if there are sufficient resources (budget, personnel, technology) to achieve the set goals. If not, develop a plan to secure the necessary resources.

Set up regular monitoring schedules. Track progress against the new metrics to see the effectiveness of the implemented changes. Analyze the outcomes. Determine if the actions are meeting the desired goals and where there's room for improvement. Adjust strategies as needed. Be agile in your approach, ready to refine tactics to better align with emerging threats and opportunities. Keep your team informed and engaged. Regular updates will maintain focus and drive collective efforts toward cybersecurity goals.

Establish channels for receiving feedback from various stakeholders on the effectiveness of the cybersecurity measures and their impact on the business operations. Encourage employees to provide input on cybersecurity practices, particularly those affecting their work, to gain insights into potential improvement areas.

You can use the hands-on experience of your team members to gain insights into real-world challenges and innovative solutions. Create a space where team members feel safe and encouraged to share their observations and ideas. Encourage team involvement in developing and refining strategies, which builds commitment and enhances effectiveness.

Share the performance metrics openly with the team, highlighting both successes and areas for improvement to foster a sense of ownership and accountability. Assign specific metrics or areas of improvement to individual team members or small groups, empowering them to take ownership and responsibility for enhancements.

Assess the current capabilities of the cybersecurity team against the skills required to meet your cybersecurity objectives. Identify any significant gaps or areas for improvement Encourage team members to perform self-assessments of their skills and identify areas where they seek improvement.

Regular training keeps your team updated on the latest security technologies and tactics, crucial for staying ahead in a rapidly evolving field. With current knowledge, your team can better identify vulnerabilities, respond to incidents, and implement security measures. Investing in professional development shows commitment to your team's growth, enhancing job satisfaction and loyalty.

Based on the assessment some metrics need to be kicked out of reports: If so, do it consequently and do not invest any time im keeping the metric alive. The metrics that matter might need a readjustment in terms of target/threshold values. A "time to fix critical vulnerabilities" (e.g. based on CVSS and additional internal factors) of more than 30 days (that's a real life example I've seen some weeks ago) is not acceptable any more. The true story behind this KPI is: We accept systems being vulnerable more than 30 days after the vendors release their security patches (e.g. Microsoft).