Cyber Security – “Are we Secure”

CyberSecurity – “Are we Secure”

Imagine as Cyber Security Manager your CEO ask you, “are we Secure?”. What should be your answer, and do you have effective measurement criteria to justify your response.

Most of Cyber Security Manager deploy Advance Security Solutions and Security Processes for implementing Cyber Security across the organization, but they fail to effective measure the actual implementation of these Solutions and Processes (i.e. are the Solutions and Processes working as expected). Measuring what you are implementing is the key to understand how Mature your organization is as per your Cyber Strategy and Objectives
Some of the Important Indicator which can be used to measure the maturity of your Cyber Security Program which can help you with your Audit, Compliance and to give a positive response to management that Cyber Security is under control and “YES” we are secure with current threat.

Some of The Important KPI to be used by Cyber Security Managers
GRC – KPI

1. % Compliance with applicable regulations and Standards ( PCI-DSS, ISO 27001, QCSF, NIA, NIST)
2. No of regulatory reporting within agreed SLA & no of SLA Missed
3. Open Internal / External Audit Issues > then 90 Days
4. No of Open High/Medium Open Risk without Compensating Control (Risk and not vulnerabilities to be reported to business Leaders)
5. % of Staff Completed Security Awareness, % of Staff Passed Quiz, % of Staff Phished
6. Projects which Exceeds Budget / Timelines - 10% (Budgets can exceed max 10% of planned budget and 10% of Planned Schedule)
7. % of Successful and Unsuccessful changes, no of unapproved Changes
8. % of Systems under contentious vendor Support and Systems without Support Security Monitoring and Incident Response KPI
9. No of Incidents Reported for the Month
10. % of Incidents closed within SLA and Missed SLA
11. % of Incidents caused actual breach/compromise
12. No of Threat Hunting performed for the Quarter
13. No of successful Incident Response Drill/Tabletop for the Quarter Security Assurance KPIs
14. % Systems complaint with Critical/High/Medium patches, % system with missing Patches (Patch Mgmt.)
15. % of Open and Closed Critical / High Vulnerabilities on Systems (Vul Management)
16. % of Vulnerable system without compensating controls (Virtual Patching)
17. % of System & Network configures with Security Baseline
18. % of Systems updated with latest Endpoint Protection (Antivirus, EDR, DLP, Device Control)
19. Privilege Access Review for Critical Systems and Application (No of Unused IDs and Privileges)
20. No of open Critical /High Application Security Issues (App Penetrating Testing

KPI Should cover acceptable criteria and Frequency and source data for validation
You don’t need to report all KPIs to Business Leaders, they will be interested in only few related to Open Risk, Open Audit Issues, Staff Awareness, Compliance with Regulations, and Budgets.