Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

7 min read

Cybersecurity KPIs: How Do You Know if Your Security Strategy is Working?

Cybersecurity KPIs

It can be difficult to measure the value you’re getting from your investment in cybersecurity because you may not really notice that it’s working until you have an intruder. At the same time, business leaders ask for cybersecurity KPIs so they can justify the expense. So how do you measure something that is designed to keep you safe?

Think about why you have smoke detectors, fire extinguishers, and fire drills. If you go year after year without a fire incident, does that mean you wasted your money on fire safety equipment and training? Certainly not. But you can’t measure value by the number of fires you didn’t have.

What you have to look at is how effective you are in following fire safety practices and regulations. And that’s similar to what you have to do with cybersecurity too.

Measure Cybersecurity Value by Readiness

For small and medium-sized businesses, the best way to measure cybersecurity is by your level of readiness.

The way you determine readiness is to look at the cyber safety tactics you have in place. These tactics can be categorized by their focus on:

Adapt the following cybersecurity KPIs to your organization, and you’ll be able to communicate the value of ongoing cybersecurity.

10 Cybersecurity KPIs

  1. Security Policies KPI – Do we have appropriate policies to document secure behavior? Are we training employees in their use? How successful are we in enforcing policies?
  2. Security Strategy KPI – Are we regularly meeting with our Technology Advisor or vCISO to review our strategy? What improvements have we implemented? What improvements have been recommended that we have yet to implement?
  3. Vulnerability Management KPI – How many severe or critical vulnerabilities are found each reporting period? Are we trending down compared with the last scan?
  4. Compliance KPI – Are we successfully maintaining compliance? If not, where are we slipping, and what do we need to do to adjust?
  5. MFA KPI – What percentage of accounts are using MFA? Are non-MFA accounts being monitored?
  6. Password Management KPI – Are we enforcing password management best practices for length, complexity, and updates?
  7. Account Privileges KPI – Does each employee have access to only the data and systems they need to do their job? Do we have alerts set up to notify us when account privileges are changed?
  8. Cybersecurity Awareness Training KPI – Are all employees enrolled in ongoing training? Who needs more practice based on feedback from phishing simulations? Is our Phish-Prone Percentage trending down?
  9. EDR and AV KPI – Is EDR and AV installed on all devices? If it’s missing, is there a reason why? Of the incidents that needed response, how many were false positives and how many were malicious programs?
  10. Software Patching KPI – Are we updating all software with security patches? Is this process automated? Is third-party software being patched?

Overarching Security Considerations for Your Organization

1. Security Policies

Look to your security policies for measurable indicators of your cybersecurity readiness. Your policies document how you want employees to act in certain situations. You may use other tactics (including technical tools) to enforce policies, but teaching employees what is expected regarding secure behavior is foundational to cyber readiness.

KPI – Do we have appropriate policies to document secure behavior? Are we training employees in their use? How successful are we in enforcing policies?

2. Security Strategy Review and Improvement

It’s beyond the scope of this article to detail all of the technical tactics that every organization should be using for cybersecurity. However, a business level measurement you can use to determine if you’re staying up to date with modern cybersecurity tactics would be how often you review your security strategy and implement improvements.

KPI – Are we regularly meeting with our Technology Advisor or vCISO to review our strategy? What improvements have we implemented? What improvements have been recommended that we have yet to implement?

3. Identify Weaknesses

Tactics that look for weaknesses in your security layers will feed your security strategy.

Your network is constantly changing – users are being added and subtracted, data is being created, connections are added and removed – and your security strategy needs to be dynamic too.

Vulnerability scanning searches for and identifies gaps that need to be closed.

KPI – How many severe or critical vulnerabilities are found each reporting period? Are we trending down compared with the last scan?

4. Adherence to Compliance Frameworks

If you’re in a regulated industry, your success at attaining and maintaining compliance is a very relevant component of your cybersecurity health. Likewise, if your customer or vendor mandates that you follow a common framework like NIST as a requirement for doing business, you’ll need to know and communicate that you’re adhering to their standards.

Keep in mind that compliance does not equal security. Your security strategy will include components that aren’t necessarily wrapped into your compliance tactics.

KPI – Are we successfully maintaining compliance? If not, where are we slipping, and what do we need to do to adjust?

Individuals Are Your First Line of Defense

Your people are your first line of defense against cyber attacks, and they can intentionally or unintentionally bypass all of your other security measures by their actions.

There are three security layers that you should use to measure employees’ cybersecurity readiness.

1. Multi-Factor Authentication (MFA)

Check if MFA has been deployed to all accounts and monitor that its use does not slip. If there are accounts exempted from using MFA – like emergency administrator accounts – track those accounts to ensure they’re used solely for administrative purposes.

KPI – What percentage of accounts are using MFA? Are non-MFA accounts being monitored?

2. Password Management

Just because you have everyone using MFA doesn’t mean you don’t need good password management. You do. Passwords should have a minimum length and follow complexity requirements. Many security professionals recommend changing your password once or twice a year.

KPI – Are we enforcing password management best practices for length, complexity, and updates?

3. Account Privileges

Management of privileges goes hand in hand with password management because it’s the next layer needed to control access to IT systems and data. Privileges for each account should be documented and monitored.

KPI – Does each employee have access to only the data and systems they need to do their job? Do we have alerts set up to notify us when account privileges are changed?

4. Cybersecurity Awareness Training

Employees need to know how to recognize and respond to potential phishing and social engineering attacks. That’s where cybersecurity awareness training comes in. An annual workshop won’t make the impact on individual behavior that you need, so training needs to be ongoing and individualized.

KPI – Are all employees enrolled in ongoing training? Who needs more practice based on feedback from phishing simulations? Is our Phish-Prone Percentage trending down?

Device Level Security

Just as you must look at the level of cybersecurity readiness for computer users, you can review each individual machine or device for deployment of next-gen security tools and use of security best practices.

1. Endpoint Detection and Response (EDR)

With EDR, you get the ability to detect and respond to both known and unknown threats. EDR watches for network traffic patterns to identify abnormal traffic and responds to malware that’s been installed on a device.

KPI – Is EDR installed on all devices? If it’s missing, is there a reason why? Of the incidents that needed response, how many were false positives and how many were malicious programs?

2. Software and Operating System Patching

Keeping software up to date with the latest security patches is a traditional security tactic that continues to be necessary. Vulnerabilities in unsupported software (including operating systems) are known targets for cyber criminals.

KPI – Are we updating all software with security patches? Is this process automated? Is third-party software being patched?

Cybersecurity Metrics Measure Readiness

Do you get the idea now that cybersecurity key performance indicators are tied up with readiness? It would certainly be interesting to know how many intruders were repelled because of your security, but in the end, that’s not the kind of data that moves you forward.

You should now be able to start tracking your security KPIs. Create a simple spreadsheet and begin. In fact, processing your security strategy in this way can even help you understand it better, which will help you communicate the value of security in the long run.

VC3 Managed Security Services

Here at VC3, we work with clients to craft and implement cybersecurity strategies that meet their safety, compliance, and business sustainability goals.

If the way your managed IT service provider is handling security doesn’t give you confidence and peace of mind, we should talk. Contact us for a cybersecurity assessment.

Let's talk about how VC3 can help you AIM higher.