Demand More Achievement in Cybersecurity
Despite the 3,000+ available cyber tools and considerable activity organizations pour into their security programs, news of double-digit increases in attacks doesn’t bode well on the achievement scale. The quote from Coach John Wooden, winner of 10 NCAA championship titles, sums it up well. “Never mistake activity for achievement.” It makes one wonder, what are we truly achieving in cybersecurity? If we want to make meaningful strides in cyber, we need to change the paradigm from activity to achievement.
Our industry has a systemic problem with cybersecurity reporting which is hindering efforts to mature as fast as we need to. Most security “metrics” are unstandardized and paint a picture of confidence and competence that the uninitiated dare not question (or likely don’t know how to). At best, the perpetuation of these unhelpful narratives works in the short term, about as long as the average tenure of a CISO, under three years.
Security professionals tend to default to those metrics that are relatively easy to derive. After all, teams are understaffed and will continue to be as ISC2 reports a projected shortage of four million worldwide trained cybersecurity positions.
Examples of “vanity” metrics we often hear are: “We use ________.” (insert Gartner Magic Quadrant leader here); “Our next gen firewall blocks 70k attacks a minute.”; “Our team patches 90k vulnerabilities a month.”; or, “We use ________ compliance framework and are using ATT&CK.” At first glance, the situation seems under control, or at the very least being managed.
Leading up to their 2017 breach, Equifax likely reported similar greatness, after all they had a reported $85M annual cybersecurity budget to play with. Having a large team with policies, vulnerability management, network monitoring tools, processes, and governance wasn’t enough. There was no enterprise visibility into cybersecurity effectiveness, and the board and C-level leadership did not understand their true picture or what implications it had on overall risk to the business.
Consider new research out of Stanford University by Nicolas Bloom et al. asserting that management practices account for more than 20 percent of productivity variations. The research states that this is a similar, or greater percentage as that accounted for by R&D, Information and Communication Technologies, or human capital.
The researchers focused on the degree by which Key Performance Indicators (KPIs) were established, visible, reviewed, and embedded as part of employee performance conversations and incentives. Simply put, using KPIs can make a team more effective than buying another tool or hiring more staff.
We’ve seen this concept play out in several established professional disciplines. Consider the following: During a board meeting, would a CFO report on the state of the business as fine because they use SAP? No, EBIT is the near defacto standard. Similarly, a project manager running a large infrastructure project wouldn’t say: “All good, we have a large team and we’re using some cutting-edge tools and techniques.” Unacceptable. The expectation is firm, industry-accepted KPIs such as Cost and Schedule Performance Index.
Finally, a customer service organization would not do well by simply citing the use of Salesforce and the volume of calls they handle as an indicator of performance. KPIs such as Net Promoter Score (NPS) are the standard. In this context, it now seems disingenuous to cite any of our aforementioned cyber vanity metrics as a measure of performance or maturity.
Each of these relatively long-established business disciplines contains its own universal method for answering the question, “how well are we doing?” Whereas in cybersecurity, we find that exact same question extremely difficult to answer and often fall back on answering a less insightful question, “What are we doing?”
It’s time to change our conversations around cybersecurity in order to effectively baseline and mature our programs while truly understanding the underlying risks to the business we support. Moving away from vanity metrics starts with the basics. As Robert Hannigan, the former head of GCHQ noted: “Despite the threat posed by sophisticated state-backed cyber-attacks, there’s a simple way to avoid 80 to 90 percent of cyber-attacks – doing the basics right.” I’m sure Equifax would agree.
We need automated measures of effectiveness relative to operationalized cybersecurity. This means taking a hard look at the people, processes, and tools in place. Specifically, KPIs for cyber or what I refer to as Cybersecurity Performance Indicators (CPIs). CPIs go far beyond current metrics used today to:
- Effectively communicate across the organization and up to the CIO and Board;
- Eliminate the need for manual data sources and reliance on the individuals who maintain them;
- Take advantage of existing security investments;
- Baseline the organization and monitor effectiveness over time;
- Quickly identify what is working or needs to be fixed to increase performance;
- Inform strategy and roadmap as the program grows in maturity;
- Align the organization with policies and promote a culture of risk management with incentive-based team competition.
There’s just too much at stake. It’s no longer acceptable to self-report status or “metrics” that merely highlight the heroic activity of the security team. We must collectively demand and achieve more.
Let’s mature cybersecurity by leveraging advances in automation to transform organizational tools, goals, and assets into attributable CPIs and data-informed actions to reduce risk to the business through the effective management of cybersecurity performance.