Cybersecurity KPIs: Moving beyond MBOs
July 28, 2023 - Managing Others
Every savvy business leader knows the importance of setting and managing objectives for their teams. Many have adopted Peter Drucker’s Management by Objectives (MBOs) strategy to align their team’s goals with those of the organization. In the world of cybersecurity, however, the rapidly evolving threat landscape calls for a more dynamic approach to managing progress and performance. In this context, cybersecurity KPIs (Key Performance Indicators), underpinned by Drucker’s famous maxim “what gets measured gets managed,” take center stage.
Contrary to MBOs, which typically focus on the achievement of specific objectives, KPIs offer continuous, real-time insights into the effectiveness of ongoing processes, systems, and programs. They highlight areas requiring improvement, providing an opportunity for proactive adjustments, and arguably become more critical than MBOs in a cybersecurity context where prevention and rapid response are paramount.
Let’s delve into various domains of a security program and discuss relevant cybersecurity KPIs for each.
- Detection Engineering: This team’s goal is to ensure potential security threats are detected swiftly and accurately. Important KPIs include Mean Time to Detect (MTTD), False Positive Rate, and False Negative Rate. These metrics measure the efficiency and accuracy of your detection systems, respectively, guiding you towards necessary refinements.
- Security Operations: Here, rapid and effective response to threats is key. The key KPI is the Mean Time to Respond (MTTR), which assesses your response team’s agility.
- Security Education: This team is responsible for training staff in security practices. The most relevant KPIs are the percentage of employees who attended training and the retention rate of the training content. These metrics provide insights into the effectiveness of your education programs.
- Application Security (AppSec): This team ensures the security of your software applications. A useful KPI might be the number of identified and remediated vulnerabilities, which measures the robustness of your software’s security.
- Corporate Security (CorpSec): CorpSec takes care of endpoint and identity security. Here, KPIs might include the percentage of systems patched and the time to patch, measuring the efficiency of your patch management process. Another useful KPI is the number of endpoint devices compromised in a given period, reflecting the effectiveness of your endpoint security.
- Compliance: This team ensures that your company meets security standards and regulations. A couple of important KPIs are the number of compliance audits passed and the percentage of security Service Level Agreements (SLAs) met.
Remember, these KPIs should guide your security efforts and encourage continuous improvement. They should drive action, not just report on it. These metrics are only as good as the changes they inspire, and the security they ultimately enhance.
As the cybersecurity landscape continues to evolve, so too should our approach to measuring and managing it. KPIs, by providing a real-time, dynamic measure of performance, can keep our security efforts nimble, effective, and aligned with business objectives.
We’d love to hear from you. If you have other cybersecurity KPIs that have worked well for your program, please share them in the comments below.