Cybersecurity KPIs: Moving Beyond MBOs

Every savvy business leader knows the importance of setting and managing objectives for their teams. Many have adopted Peter Drucker’s Management by Objectives (MBO) strategy to align their team’s goals with those of the organization. In the world of cybersecurity, however, the rapidly evolving threat landscape calls for a more dynamic approach to managing progress and performance. In this context, cybersecurity KPIs (Key Performance Indicators), underpinned by Drucker’s famous maxim “what gets measured gets managed,” take center stage.

MBOs vs. Cybersecurity KPIs

Contrary to MBOs, which typically focus on the achievement of specific objectives, KPIs offer continuous, real-time insights into the effectiveness of ongoing processes, systems, and programs. They highlight areas requiring improvement, providing an opportunity for proactive adjustments. In cybersecurity, where prevention and rapid response are paramount, KPIs arguably become more critical than MBOs.

Let’s delve into various domains of a security program and discuss relevant cybersecurity KPIs for each.

Key Cybersecurity KPIs by Domain

Detection Engineering

This team’s goal is to ensure potential security threats are detected swiftly and accurately. Important KPIs include:

• Mean Time to Detect (MTTD) – Measures how quickly security threats are identified.
• False Positive Rate – Evaluates the number of benign activities mistakenly flagged as threats.
• False Negative Rate – Measures how often real threats go undetected.

These metrics help assess the efficiency and accuracy of your detection systems, guiding necessary refinements.

Security Operations

Here, rapid and effective response to threats is key. A crucial KPI is:

• Mean Time to Respond (MTTR) – Assesses your response team’s agility in mitigating threats.

Security Education

This team is responsible for training staff in security practices. The most relevant KPIs include:

• Percentage of Employees Trained – Tracks overall participation in security training programs.
• Training Retention Rate – Measures how well employees retain key security concepts over time.

These metrics provide insights into the effectiveness of your security awareness programs.

Application Security (AppSec)

This team ensures the security of your software applications. A useful KPI might be:

• Number of Identified and Remediated Vulnerabilities – Measures the robustness of your software’s security.

Corporate Security (CorpSec)

CorpSec takes care of endpoint and identity security. Key KPIs include:

• Percentage of Systems Patched – Tracks how consistently security patches are applied.
• Time to Patch – Measures the speed of patch deployment after vulnerabilities are identified.
• Number of Endpoint Devices Compromised – Reflects the effectiveness of endpoint security.

Compliance

This team ensures that your company meets security standards and regulations. Important KPIs include:

• Number of Compliance Audits Passed – Indicates adherence to regulatory requirements.
• Percentage of Security SLAs Met – Measures performance against agreed security service levels.

Using KPIs to Drive Action

These KPIs should guide security efforts and encourage continuous improvement. They should drive action, not just report on it. Metrics are only as valuable as the changes they inspire and the security enhancements they enable.

As the cybersecurity landscape continues to evolve, so too should our approach to measuring and managing it. KPIs, by providing a real-time, dynamic measure of performance, help keep security efforts nimble, effective, and aligned with business objectives.

We’d love to hear from you! If you have other cybersecurity KPIs that have worked well for your program, please share them in the comments below.