Despite the various economic crises, organizations are pumping more money into cybersecurity than ever before. Gartner predicts that total global end-user spending on security and risk management will hit $172.5bn this year and top $267.3bn by 2026.
However, this capital is not necessarily being spent effectively. There is a tendency for enterprises to continuously add the latest solutions to their existing security stack without stopping to measure the impact on their security effectiveness. This feeds into a cycle of ‘rip and replace,’ where firms eventually decide their cybersecurity stack isn’t working and tear it up to start again.
While this is sometimes justified, enterprises are often unaware of how well their solutions work because they have not correctly operationalized their security to track and measure performance.
Organizations must implement key performance indicators (KPIs) to measure success effectively and drive security decisions.
KPIs provide a way of tracking activity against a predefined target. Crucially, KPIs are not simply metrics; they must be defined by a goal value that focuses towards specific outcomes.
KPIs provide clear insights into the effectiveness of the security stack against the organization’s business objectives. Having clearly-defined targets and measurable outcomes helps to translate the complexity of cybersecurity into a more accessible format for non-technical stakeholders.
Yet we find that only a small percentage of organizations use security KPIs properly.
While KPIs are fundamental in many other sectors, such as business architecture and service desks, the security industry does not yet naturally align with them. This might be because cybersecurity is still a relatively new field and is seen as too technical for business leaders to get to grips with.
However, KPIs are critical in helping decision-makers understand cyber. Achieving effective security is impossible without applying standard business practices to measure performance and outcomes.
Security solutions are incredibly rich in information, usually offering a limitless stream of data points about performance and activity. But without KPIs, this data can appear detached and inconsequential. A strong set of KPIs helps to frame this information in a business context, ensuring security targets align with the wider organization’s needs and goals.
Without this context, firms are more likely to make arbitrary decisions about their security stack. The cycle of rip and replace wastes capital and resources and can leave enterprises more vulnerable to threats as security personnel get to grips with new solutions and processes.
Knowing what to measure will significantly impact a business’s ability to make informed decisions about its cyber investments. The right metrics depend on the specific security solution and the organization’s security maturity and business objectives. There are six key areas to cover:
Culture and measurement are the most important KPIs in the first instance. Getting these right will help ensure that security is taken seriously at different levels of the organization and that processes are in place to track performance. They should be the priority for businesses in the initial stage of their security maturity journey, and firms should only move on to other areas when they have these foundations set.
Finding the right metrics is only the first step of effective KPIs. They must be set against goals aligned with specific business objectives and be in sync with operational priorities. Ideally, KPIs should be applied to every employee in some capacity and it must be clear which departments are involved and which leaders have ownership and responsibility.
For example, a KPI on phishing would target reducing rates and improving awareness over time. It would apply to the entire organization but ultimately be the responsibility of the heads of security and HR.
Implementing effective KPIs will enable firms to properly operationalize their security stack, ensuring they are always equipped to make an informed decision before investing in new and/or additional solutions. Armed with this knowledge, they have the best shot at maximizing their ROI and security capabilities.
