Information security is not just a one-time effort. You must track your efforts with information security metrics. Indeed, investing in information security is important but many do not track metrics and KPIs.
PwC reported that 22% of chief executives believe that their risk exposure data is sufficient to inform their decisions. This statistic is still true even 10 years have passed since PwC published it. Meanwhile, an EY report shows that 36% of organizations in the financial services sector worries about “non-existent or very immature” metrics and reporting.
The organizations included in the statistics invested hugely in infosec. However, they only did that for compliance. Hence, they do not maximize their investment by measuring their efforts.
Importance of Information Security Metrics
KPIs and KRIs help you make better decisions in infosec. Measuring KPIs and KRIs help you clearly understand the effectiveness of your efforts. Moreover, it lets you see how your efforts improved or declined over time. Furthermore, you’ll need solid historical data to rely on. Otherwise, you might end up making bad decisions.
Of course, you need a budget to implement infosec efforts. The only way of getting that is from your business’ stakeholders or board members. Yet, you first must present your case before them. If you don’t have good information security metrics, you’ll have a hard time making your case before the business leaders.
Take note that the metrics you choose should be clear and relevant. Moreover, it must fully explain your organization’s infosec. You may also need KPIs for your vendors and other third parties.
Information Security Metrics To Track
You’ll find below some examples of information security metrics you can track. Also, the KPIs below are easy to present to your business leaders.
- Track how many attempts bad actors tried to breach your networks.
- See how many devices on your network are up to date and fully patched.
- Measure the Mean Time To Acknowledge (MTTA) of your organization. Note the average time it takes you to begin working on an issue after receiving an alert.
- Your employees bring their devices to work. Furthermore, they might be using IoT devices you are unaware of. These factors pose huge risks for your organization. Measure how many of these devices are on your network.
- Security awareness training is essential for all businesses. Check the people that took and completed the training. Did they understand the material?
- Measure the Mean Time To Recovery (MTTR) of your network. Measure how much time it takes for your organization to recover from a system or product failure.
- Check the percentage of phishing emails opened by end-users.
- Furthermore, check how many users have administrative access to your networks.
- If users report cybersecurity issues to your team, that is a good sign. It means that all people involved with your company recognize issues. Moreover, it is an indication that your training is working.
- Monitor how your antivirus software performs. Measure how often it scans common applications such as email clients, web browsers, and instant messaging software for known malware.
- Do you see a normal amount of traffic on your website?