6 Essential Computer Security Indicators – and 4 Obsolete
Computer security is increasingly important to many companies and of increasing interest to their boards of directors. This means proper reporting is more important than ever. But there are computer security indicators that are important and some that are already obsolete. Currently, security for computers is still described in many organizations as an unnecessary cost, so the most difficult part of cybersecurity people’s work is to show the success and value of the entire security team.
Of course, both organizations and security leaders have used countless metrics over the years for years. At the same time, both management and board members have often complained that security measures do not provide adequate insight. Or understanding of what the security department does, what it manages to do with computer security software, and where the problems are.
Table of Contents
Many fuses make one major mistake all the time. Well, they present too much technical jargon to the CEO and board. We report critical security vulnerabilities all the time, but management doesn’t understand what the problem is because it doesn’t have any context.
All experts love numbers and technicalities, but cybersecurity specialists still have to work on developing computer security indicators so that management understands the risks and the amount of investment they have to bear.
At the same time, Cybersecurity Experts are unable to identify a single indicator that would accurately reflect their efforts and how the situation is improving over time. At the same time, there are some indicators that are more useful than others.
Computer Security Metrics That Matter To The Business
Specialists believe that nowadays we must take into account the increasing possibilities of ensuring security and increasing control of the board in this matter. However, the point is all the time to report only those indicators that a given company really cares about. Only in this way can the company achieve its goals.
I personally model the risk for companies very often, so I have to define indicators aimed at providing services around the clock. So instead of reporting the number of attacks that a given company experiences, which is pointless, it is much better to measure the impact of attacks on areas such as performance and operations, and indicate remedial recommendations that can be implemented at a relatively low cost and add information on how to reduce it risk and will improve security indicators for the entire business.
At the same time, what works in one company may not necessarily work in another as tactics on security for computers. Each company should have its own reporting indicators that are actually able to reduce business risk in order to be able to calmly achieve key goals. In fact, the numbers are secondary or fivefold, and the primary focus should be on achieving your business goals.
When reporting threats, it is worth using not only the determination of threats using standard methods of solving problems, but it is worth focusing on the classification of threats, for example according to COBIT-5, and thus actually assess the risk using, for example, an action plan. It is the action plan that allows you to define the context that the business will understand. And that can be beneficial to make decisions about investing in computer security.
Understanding Security for Computers
The main issue is always to go beyond the numbers and look at the deadlines for delivering individual functionalities. It’s really important to align metrics with key business functions. From my own perspective, I will say that the most important things are always arrangements with business. Because only maintaining the right balance between security and business allows you to be successful.
I would recommend that everyone match key risk indicators based on a classification of information. And it should be aligned with the assets and objectives of the organization’s computer security software. For example, if the goal of an organization is to minimize the time it takes to disrupt, then this is a goal that can be measured and tracked. Or, if an organization needs to implement technological solutions such as new computer security software purchase, progress should be reported over time.
Remember that in the overall cybersecurity process, understanding the balance between security and business solutions is paramount. It is very often the case that failure to achieve business goals negates cybersecurity efforts.
So let’s do it again. The main task of security in any organization is to find areas that actually provide measurable information. And also stick to them really consistently throughout the process. At the same time, my little advice is to always inform the business of problems and then leave the risk acceptance to management.
6 Conventional Indicators That Remain Valuable for Computer Security in Organizations
Basically, there are still some metrics that remain valuable to any organization, even though we should all use a business first approach. At the same time, additional context should always be present for each of these computer security indicators. For example, it doesn’t make sense to measure the entire number of phishing attacks, but it’s worth measuring how many of them have passed through the filters and how many of them have been successful in your organization. Ok, let’s move on to the indicators that have an impact on the business and security for computers. Here they are:
Results of Simulated Phishing Attacks.
Many organizations use simulated phishing attacks to evaluate the effectiveness of employee training and set goals for improvement.
Average error recovery time. It is also very common to measure the percentage of users affected by an incident. The speed with which the entire IT and Risk department has resolved a given problem. And whether this time falls within the specified incident response time.
Average Time of Incident Detection.
The average time from the occurrence of an attack to its detection is very valuable information. And we should track to show what we need to do further. This indicator perfectly shows how the security program in the application works and how to fix it. Moreover, this indicator encourages the introduction of new investments and improvements.
Penetration Tests.
Like simulated phishing attacks, penetration testing metrics also show how well an organization can resist an actual attack and track improvements over time. Special computer security software can do that.
Managing Vulnerabilities.
There is another very, very important metric that to report on the effectiveness of the security department’s activities. In general, the focus should not be on the number of revised vulnerabilities. But on the enhancement of the vulnerabilities that have the greatest impact on the organization. In fact, patching 100 low-risk vulnerabilities will not repair the security posture if the critical vulnerability is still present. Always report what has the greatest impact on your business.
Organization security audit. Here you can report audit scorecards for audits carried out in accordance with the NIST, ITIL and CIS standards. But having any other audit is better than not having an audit.
Four Indicators We Should Deviate From for Computer Security
Most world-class experts suggest a move away from a few outdated ingredients that should not be of concern to anyone or be completely sidelined. Here they are:
Number of attacks. As a board member of the company, I would not care if someone would show me that he had 1,000 attacks in one day. And they were all blocked for the security for computers. Because why should you get the money if everything is ok? I’m more interested in stopping one attack that has a merciless impact on business.
Fixes completed. Identified vulnerabilities. Viruses blocked. These measurements can make some inner sense. For example if we want to report them above and comply with some stupid regulations to confirm that the organization complies with them, but has no or little value in itself. It’s just that they should be completely ignored in the relane world.
I’m a founder at SilenceOntheWire. The company was created from the will of realizing the passion about security in the field of IT. The founders of the company, whose domain is security, were united with shared goals and vast professional experience (safety audits, creating web applications and solutions, social media). The meeting of knowledge and experience resulted in the project containing a complex safety protection of companies running their business using cyberspace.
Our main priorities throughout are quality and professionalism of providing services and also following the various standards and laws, especially personal data safety, trade secrets and recommendations of EU and Polish Financial Supervision Authority.
