When I talk about security for the SMB, the go-to barrier is insufficient resources to invest in security. While I’m not denying that limited resources for a smaller organization can constrain your options when it comes to building your own security solution, having KPIs to measure the risk you are facing, and the progress you are making in mitigating it, can help you gain access to said resources. Unfortunately, some of the KPIs dictated by so-called “best practices” are really meant for the larger enterprises who have already invested in cybersecurity people, processes, and technology. In this post, I’ll take you through the KPIs you need to demonstrate improvement over time, and considerations for how you capture these indicators – without presuming you already have an advanced cybersecurity program to feed vanity metrics.
What are the Cybersecurity KPIs for the SMB?
There are two kinds of KPIs when it comes to cyber: proactive and reactive. Proactive metrics refer to behaviours we take before an incident to mitigate the risk of it happening (or happening again), or minimize the damage that can occur when it does. Reactive metrics are about the actions taken by our team, or our solutions, once an infection, breach, or indicator of compromise is detected. Keep in mind that when communicating any KPI there is a responsibility to report beyond the quantification of what is happening, to get at a meaningful representation of what this means for your SMB - in other words, articulating the risk to the business, and the costs associated with it in terms of money and time. While this may sound daunting, it should ultimately help you demonstrate the change in risk to your leadership team to drive good decisions. Or, if you’re already invested in your own cybersecurity program, this should help you demonstrate that your risk is (hopefully) decreasing over time.
These are the metrics that get all the attention, possibly because they are the most tangible when it comes to a person's involvement managing a system which detects issues like Anti-Virus, Firewalls or SIEMs. These are how (typically larger) enterprises assess what happened during a breach. The goal is to improve detection, or response, or minimize damage if they’re unable to react in time. Some standard examples include:
- Mean Time to Detect: How long did it take us to detect the issue?
- Mean Time to Respond: This metric comes from a service management perspective, and assumes someone is alerting you to a problem like an outage – typically not the case for the SMB.
- If you’re using a SIEM, some organizations leverage the metrics it can provide (total number of events, total devices being monitored). I have discussed the shortcomings of SIEM for the SMB elsewhere, as well as how we are modernizing SIEM functionality within our MDR process/platform.
There are several reasons that such reactive metrics should not be the focus of the SME. When a single breach can cripple your operation, you can’t expect that there will be a “next time” for you to improve. Which is a scarier way of saying that without multiple breaches/indicators of compromise to compare over time, your “sample size” is simply too small to be able to derive meaningful changes based on past responses as captured by reactive metrics.
As always it’s back to the resource constraint; the small to medium-sized enterprise doesn’t really have the cybersecurity people, processes, or technologies to generate useful reactive metrics. Of course, if you’re suffering from an incident, you should call an incident responder (like ActZero! 😊) to remediate the issues for you, and shift your reporting focus to proactive KPIs moving forward. Proactive efforts are where your focus should be.
Proactive KPIs refer to the preventative measures (left of boom) that your organization can and should take before dealing with a breach. By focusing on the proactive KPIs listed below, you still drive improvement of your security, and these items are within your ability to control, with minimal people, process, and technology required.
The things you should be tracking include:
- Which Configuration Settings have you changed? How many? The policy should dictate one number – how many systems actually reflect your policy (that you spent so much time coming up with) is of interest in assessing the progress in executing on that vision.
- Patches per asset per month - shows you the rate at which you’re addressing hygiene issues. Of course, understanding this in the context of patches remaining can help too.
- Vulnerabilities identified/remediated per week – ultimately, these vulnerabilities are the source of your problems. By tracking your progress in remediating vulnerabilities, you are demonstrating progress in reducing the risk facing your organization, as there is a risk that any such vulnerability could be exploited.
Ultimately, these proactive metrics are about the efforts you are taking to reduce your risk – not how long can you survive a given malware attack.
How you are capturing this information is as (if not more) important as the information itself. For instance, none of these has much value as a ‘point in time’ capture; make sure your processes are structured to repeat capturing these metrics over time. Evaluating your security is just like going to the gym, where you wouldn’t expect to see tangible results on your first visit; continuing to capture these metrics and taking action to improve your proactive activities is essential for reducing risk.
Continuing with the gym analogy, you wouldn’t only focus on one area of your body either. Make sure you are varying what you are measuring across the different parts of the attack surface. That means measuring your efforts on the endpoint, the network, email, and web, to name a few. Just as attackers leverage different vectors to gain access to your systems, you must test and measure against each of them.
Whatever metrics you are tracking, you must communicate them in a way that business leadership understands. Many executives will have no frame of reference for how many vulnerabilities a given IT coordinator should be able to remediate in a month, nor that these proactive measures mitigate the risk of a breach (though they are starting to understand that the risk of a breach represents tangible and business-threatening costs). By quantifying the risk in terms of the potential cost to the business, and repeating this assessment frequently, you can demonstrate the tangible value that securing the organization brings (without waiting to react to a breach).
For a look at questions that foster common understanding between technical and non-technical stakeholders, see my post on the best/worst questions to ask. This will serve as a good framework of what to pursue and avoid.
Of course, you’ll need a more holistic view of your security to represent the risk you are truly facing. ActZero presents our MDR clients with a monthly report that details exactly what steps you should take (as prioritized by our experts) to reduce your risk through proactive measures – because not all patches are created equal. Check out a demo of our service to get the full picture!