Security Metrics Reference
This page built in collaboration with Jared Pfost, our guest on episode 146 of The Cyber Risk Management Podcast.
Listen to podcast episode — https://cr-map.com/podcast/146/
View Jared’s LinkedIn Profile — https://www.linkedin.com/in/jaredpfost/
Objective: Enable a Security or IT leader to improve security investment decisions through measurement.
Business Problem: Manage risk to an acceptable level with limited resources.
- Measure what matters most:
- Build measurements for fundamental controls and where investments decisions are needed.
- Leverage a risk assessment to prioritize investment decision areas, like Cyber Risk Opportunities, use metrics to measure progress.
- Are we measuring controls or risk? Yes!
- Each control should be mapped to one or more risk.
- I prefer to define high level Loss Scenario statements that resonate with business leaders
- e.g. loss of intellectual property, service disruption, reputational impact from customer data breach, etc.
- Each Loss Scenario has a “kill chain” where threats may exploit vulnerabilities.
- Metrics measure the effectiveness of controls to manage security posture or degree of vulnerability.
- Construct actionable metrics:
- each metric should have a short and long term target value.
- Long term targets represent acceptable risk.
- Who defines acceptable risk aka metric targets?
- Business leaders – with Security facilitating the discussion from start to finish.
- More on this as we share metric examples.
- Key metrics in my experience span IT service domains:
- Application development
- Device management
- Cloud configuration
- Identity & Access Management (IAM)
- Detection & Response
- Governance, Risk, and Compliance (GRC)
- Data
- Application
- % of high impact applications meeting secure development requirements (DevSecOps). Example of a control coverage metric.
- % applications in CMDB vs. enumeration (by Security i.e. attack surface management)
- % of application vulns mitigated within policy timeframe. Example of performance metric.
- % of applications with no critical vulnerabilities in production. Example of outcome metric.
- Types of metrics:
- As your security program matures, metrics types will move from coverage to outcomes.
- Once a control is mature and isn’t driving an investment decision, move coverage metrics to an operational scorecard.
- It’s no longer a Key Risk Indicator.
- The ability to drive decisions is what sets a metric apart from a KRI!
- Device
- % devices in CMDB vs. enumeration (by Security)
- % of devices meeting configuration standards. Separate device classes where control owners are different e.g. end user devices vs. infrastructure.
- % device vulns mitigated within policy timeframe.
- Cloud
- % of assets meeting configuration standards
- % of cloud vulns mitigated within policy timeframe
- IAM
- % of users meeting authentication reqs e.g. MFA.
- % of assets meeting authentication reqs e.g. MFA and PAM.
- % of service accounts meeting standard e.g. no interactive login and change frequency
- % of admin accounts reviewed per policy.
- % of accounts terminated per policy e.g. within 12 hours of termination.
- Detection & Response
- % of users passing phishing simulation. Add degree of phishing sophistication as you mature and the threat landscape evolves i.e. AI enabled threat actors.
- % of assets meeting monitoring standard (focus on cloud, devices, identities as needed).
- Bonus metric for mature shops: % of pen test or red team activities detected by blue team.
- % of incidents detected with target timeline. Add incident severity as this matures.
- % of incidents contained with target timeline
- GRC
- % of compliance controls with automated reporting (to maintain health continuously vs. just during audits)
- % of risk registry items actively managed i.e. with current treatment decisions by the business.
- Data
- % of backups meeting resiliency requirements i.e. malware resistant
- % of critical business functions with tested continuity plans
- % of Data Loss Prevention issues mitigated within policy timeframe