Skip to content Skip to sidebar Skip to footer
Página inicial / what factors are critical to the success of a cybersecurity performance measurement program?

what factors are critical to the success of a cybersecurity performance measurement program?

Postar um comentário

Scoring a baseball game is a tradition that goes back to the sport'southward early days. For fans, information technology is a great manner to become more involved, stay engaged during the game, and understand each game'due south story. In the stop, every ballgame provides meaningful statistics that make information technology easy to know how well a team and its players performed during the flavour.Unlike baseball, Cybersecurity performance is not easily measured. In fact, most organizations would be hard-pressed to pull together a consistent set of statistics that tell the whole story. Why? The challenge is that Cybersecurity metrics lose meaning outside of their specific context and don't lend themselves to an 'apples to apples' comparison with other environments or organizations.

In practice, these challenges contribute to overestimating or underestimating the effectiveness of Cybersecurity programs. This does non hateful there are not means to effectively measure cybersecurity, both at a tactical and strategic level. Withal, tactical cybersecurity metrics are challenging as the denominator of the equation is almost always unknown (that is, we don't know how many actual attempts have been made to get into our network). Further, the statistics generated at the tactical level are relevant to our organization and relative to our previous observations.

At an accented level, strategic security metrics are well-nigh understanding how each slice of a Cybersecurity programme fits together, what cybersecurity measures are in place, and the ability to implement controls in a timely fashion.

Strategic measurements begin with a holistic view of Cybersecurity across iii dimensions:

  • People – understanding how the people in the system work
  • Process – ability of processes to evangelize consistent results against desired goals and objectives
  • Applied science – the use of reliable technologies to manage security risks

Understanding the Office of People in Security

Security is a holistic property of an system'southward people, processes, and technology that is only equally stiff the weakest link in the chain. The weakest link determines the entire organisation'south level of security. It should come as no surprise that people are often the weakest link in the concatenation. Oftentimes people are as well optimistic and don't sympathise the risks, they assume that the technological safeguards in identify will protect them, or they circumvent security measures in the name of convenience. And so how can we protect our organizations from these challenges?

1. Communication
The first pace is talking with the entire workforce on a consistent footing and getting their feedback, as well as socializing the rules and controls that are in identify. The security team should consider and implement changes to their programme based on user feedback. The aim is to drive end user adoption, raise compliance, and better cybersecurity posture.

2. Training
The problem with advice is that it does not business relationship for the ingenuity of homo when solving issues of convenience. It'south 1 affair to make people aware of policies and procedures, it'south another to accept them adopt your security practices. In one case, a hospital implemented a rolling computer desk-bound for doctors and nurses to use while going from room to room. The figurer had an authentication mechanism that looked for the user to be in shut proximity of the calculator to go along the screen from automatically locking. This was an inconvenience when examining a patient and trying to log their condition. And then the doctors and nurses came upwardly with a elementary solution – they placed a paper cup upside downwards on the proximity sensor and then that information technology never locked them out, improving the user experience and defeating any security benefit. Technology cannot fix a people problem!

three. Controls
Evaluate security controls through the eyes of the everyday user. When security measures are too inconvenient, people volition detect ways to work effectually them. Getting buy-in from your end users is imperative to ensure compliance. If users empathise the purpose of the controls and have a say in how they are implemented, they are more likely to abide by the rules and as well enforce the controls among themselves.

Measuring Process Effectiveness

Processes are executed through a combination of people and tools. These processes are governed past policies, procedures, and adventure priorities that drive security goals and objectives. People and procedure piece of work together and outcomes should be repeatable with the ability to identify performance trends over time. In a mature organization, each security process needs to exist fully adult and integrated with business processes that drive operations.

Defining security roles is one most of import aspects of reviewing and refining your processes. Someone who has the consummate trust and authority from the executive leadership must be designated as the conclusion-maker in a time of cybersecurity crisis. Crises require a strict concatenation of command in order to respond efficiently and effectively. The all-time way to ensure this is in place is to carry tabletop exercises with the executive leadership and senior management.

Hither are a few critical success factors in measuring procedure effectiveness:

  • Prefer a maturity model framework to evaluate cybersecurity processes and assign a maturity rating to each group of security processes based on specific criteria (organisation vs. industry)
  • Secure leadership commitment to provide resources to gather process data, utilize the collected information for decision making, and mature the programme over time
  • Invest in data quality to support measurement accurateness and confidence in the measured results
  • Commit to continuous improvement of security processes and find an appropriate balance between usability, security, and cost-effectiveness

Tools and process should work together and be repeatable with the ability to identify operation trends over time. Ultimately, processes should drive the selection and implementation of appropriate tools and technologies.

Evaluating Applied science Effectiveness

Selecting and implementing security technology requires two resources that are hard to come up by money and qualified people. Each of these resources is scarce inside of businesses, likewise as the cybersecurity community at-large. Therefore, the most important part of measuring technology is proper prioritization of resource.

The critical success factors for measuring Engineering Effectiveness are:

  • Defining technology security standards for the organization
  • Agreeing to the best KPIs/Technical measures of chance for the concern
  • Measuring effectiveness against divers KPIs

For cybersecurity success from a engineering science perspective, a balance must be met and an agreement of your environment is required. Not every business organization requires every technology and not every technology is right for your business. The cardinal to success is doing proper research, understanding how each technology piece works together, and building the infrastructure to support the technology.

While there is no scorecard to measure out the effectiveness of a cybersecurity program, it'south important to sympathize the proper application of the metrics yous are analyzing. Each type of measurement has its benefits and its drawbacks. Look at how the processes are implemented and used to properly assess their effectiveness. Most importantly, don't become sucked into a numbers game, as your cybersecurity posture volition come up up lacking.

If you enjoyed this post, subscribe to our blog and follow @Idenhaus on Twitter.

Photo credit: Flickr

Past going to piece of work quickly to solve the most challenging cybersecurity and identity management bug, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us today!

stephensonhatian.blogspot.com

Source: https://www.idenhaus.com/measuring-effectiveness-cybersecurity-program/

Talvez você goste destas postagens

Postar um comentário for "what factors are critical to the success of a cybersecurity performance measurement program?"