Create a Solid Cybersecurity Plan
Should you measure the maturity and performance of your security program? How often? A survey suggests 60% of CISOs (chief information security officers) measure their security programs at least once a month and 89% measure the maturity and performance of their full security program at least once each quarter. Let’s take a closer look at how they are measuring and evaluating potential threats.
The report from Onyxia Cyber surveyed more than 200 CISOs across a wide range of industries in the United States and Canada. Aspects in the survey include evaluating what metrics CISOs are measuring and how they are assessing cyber risk across multiple areas, such as incident response, vulnerability patching, and phishing simulations, as well as the overall impact of various cyber risk-management strategies.
The results from the survey are very enlightening. We see 33% of CISOs are not working toward a same-day MTTD (mean time to detect), and do not have an SLA to start working on mitigating risk within 8 hours of a breach.
What about the time to respond? MTTR (mean time to respond) is an important KPI (key performance indicator) for all security teams, as the longer the dwell time of an attack, the more catastrophic its impact. The average MTTR CISOs report is 9 hours, with the IT industry being the fastest to respond to threats, in under 7.4 hours. The financial services industry, which many expect to be ahead of the curve in security, is actually at just over 9.3 hours.