CISO Tip Series: The Top Metrics for CISOs to Track for Their Security Programs

Nov 16

As a CISO, it's essential to report how well your efforts are faring against evolving cyber criminals and cyber attacks. In Gartner’s cybersecurity business value benchmark article, Paul Proctor details the 16 metrics he describes will “ ...transform how you discuss cybersecurity with your board of directors.” Many of our own Cybersecurity Performance Indicators (CPIs) align with Gartner’s and they are marked as such in our platform. Here is a short list of some of our favorite metrics to help connect your cybersecurity program to business outcomes.

1. Mean Time To Resolve Incidents (Gartner's “Incident Remediation Time”)

Mean Time To Resolve Incidents, similar to Gartner's “Incident Remediation Time”, measures the average time it takes to resolve incidents during a specific day, regardless of the source, severity or other parameters. “Time to Resolve” is calculated as the time between the moment when the earliest occurrence or alert making up the incident/detection was created and the time that it was closed/resolved.

A response time that is too long increases the risk that a malicious actor will establish a foothold in the organization’s network, which can cause a longer and more complex remediation process and eventually result in significant damage to the organization. A high mean time to close incidents can indicate an inefficiency in the incident response process, a deficiency in the training or staffing of the SOC team, an unusually high influx of incidents that are temporarily overwhelming the SOC/Incident Response Teams.

2. Percent of Overdue Incidents

Percent of Overdue Incidents measures the percent of ‘open’ status Incidents exceeding “Time to Resolve” SLA during a specified day regardless of the source or any other parameters. The measurement refers to the percent of Overdue Incidents out of all Incidents/Detections with “Open” status. “Overdue Incident” means that an incident/detection is not resolved yet and a time between the moment when the earliest occurrence or alert making up the incident/detection was created and the current time is longer than the “Time to Resolve” threshold defined by a user.

A high Percent of Overdue Incidents in the case of Service Providers, may indicate a risk of breaching vendor SLA Time agreements regarding incident resolution.

3. Incident False Positive Rate

Incident False Positive Rate tracks the percent of incidents that are being closed/resolved for being a False Positive alert during a specified day regardless of the source or any other parameters. The measurement refers to the percent of Incidents/Detections that were resolved as False Positive by the SOC team during a specified day.‘False Positive’ means that an incident/detection was marked by SOC or Incident Response team as false positive regardless of the reason why it was given this tag.

When the number of False Positive incidents coming in is too high, it means that the Security Team is wasting incrementally more time closing out those false alarms rather than dealing with the actual threats, thus greatly reducing the team's effectiveness. High rates of False Positive Incidents can indicate a high FP rate of Detection Product or Logic or an inability to define/customize precise detection logic within detection products.

4. Percent of Users Without MFA Enabled (“Gartner’s Multifactor Authentication Coverage”)

Percent of Users Without MFA Enabled is closely related to Gartner’s “Multifactor Authentication Coverage” metric. It tracks the percentage of users who have not enabled multifactor authentication. A high percentage of users that do not have multi-factor authentication enabled puts the organization at high risk. Those users are more vulnerable to takeover by malicious actors, which can potentially lead to a data breach and total business disruption.

The risk posed by this issue is greatly increased if the accounts have elevated privileges. A high percentage of privileged users without MFA can indicate that IAM security best practices are not being followed. It can also indicate a deficiency in user training.

5. Mean Time To Discover Incidents

Mean Time To Discover Incidents tracks the daily average time it takes to discover malicious/suspicious activity and create an incident/detection during a specified day. The measurement refers to the mean time to discover any incidents created during the same date regardless of the source, logic, or any other parameters. “Time to Discover” is calculated as the time between the moment when malicious/suspicious activity took place and the time when an incident/detection was created.

When discovery time grows it increases the risk that an adversary will establish a foothold in the organizational network, which can cause a longer and more complex remediation process and eventually result in significant damage to the organization. A high mean time to discover incidents can indicate an inefficiency of a malicious activity detection technology. A low mean time to discover means that your threat detection rate is effective.

6. Mean Time To Resolve Vulnerabilities

Mean Time To Resolve Vulnerabilities measures the daily average time it takes to close/resolve vulnerabilities during a specified day regardless of the vulnerability severity or other parameters. “Time to Resolve” is calculated as the time between the moment when a vulnerability was initially discovered and the time it was closed/resolved.

A response time that is too long increases the organizational exposure and risk that vulnerabilities will be discovered and abused by a malicious actor, leading to a live incident that could potentially involve a breach of the organization’s network and cause significant damage to the organization. A high mean time to resolve vulnerabilities can indicate an inefficiency in the vulnerability and patch management system or processes or a deficiency in the training or staffing of the Vulnerability Management team.

7. Percent of Vulnerabilities Resolved Late

Percent of Vulnerabilities Resolved Late tracks the percent of vulnerabilities that were closed/resolved past their severities “Time to Resolve” (TTR) threshold during a specified month regardless of the source, severity or other parameters. “Time to Resolve” is calculated as the time between the moment when the vulnerability was initially discovered and the time it was closed/resolved.

8. Phishing Simulation Click Rate (Gartner's “Phishing Training - Click Throughs”)

Phishing Simulation Click Rate is similar to Gartner's “Phishing Training - Click Throughs” metric. This metric measures the malicious link click rate for simulated phishing emails. Through simulated phishing emails, your organization’s vulnerability level to phishing email scams can be tracked. The resulting percentage represents the proportion of employees who were misled by the simulated phishing email on a specific date.

A click rate that is high means that the organization is at a high risk of being susceptible to a phishing attack. Phishing attacks can lead to sensitive data and financial loss. This can mean that the organization needs more phishing training to prevent click-throughs. A low click rate can mean that phishing training is effective.

9. Percent of Overdue Vulnerabilities

Percent of Overdue Vulnerabilities tracks the percent of vulnerabilities that are at “Open” status and past their severity “Time to Resolve” threshold out of all “Open” vulnerabilities during a specified day regardless of the source, severity, or other parameters. The measurement refers to the percent of Overdue vulnerabilities out of all vulnerabilities with an unresolved status. “Overdue Vulnerability” means that a vulnerability is not resolved yet and a time between the moment when the vulnerability was initially discovered and the current time is longer than the “Time to Resolve” threshold defined by a user.

A high rate of overdue vulnerabilities increases the organizational exposure and the risk that vulnerabilities will be discovered and abused by a malicious actor, leading to a live incident that could potentially involve a breach of the organization’s network and cause significant damage to the organization. High rates of overdue vulnerabilities can indicate an inefficiency in the vulnerability and patch management system or processes or a deficiency in the training or staffing of the Vulnerability Management team.

10. Percent of Open Vulnerabilities with Exploits

Percent of Open Vulnerabilities with Exploits tracks the percent of vulnerabilities that are unresolved and have an exploit known publicly. The measurement refers to the percent of vulnerabilities that have an “Open” status and have a “Known” exploit out of all “Open” vulnerabilities during a concrete day. CPI is calculated for any vulnerabilities with a known exploit regardless of the vulnerability source, severity, or other parameters. “Known Exploit” refers to vulnerabilities that have been exposed and reported by a security agency such as CISA.

A high percent of vulnerabilities with known/public exploits significantly increases the organizational exposure and risk that vulnerabilities will be discovered and abused by a malicious actor, leading to a live incident that could potentially involve a breach of the organization’s network and cause significant damage to the organization. It can indicate inefficiency in the vulnerability and patch management system and processes a deficiency in the training or staffing of the Vulnerability Management team, or challenges in vulnerability patching prioritization procedures.

Summary

Program measurement is important for continuous monitoring of risks and vulnerabilities. They are also helpful when reporting to stakeholders because they can express the status of your cybersecurity program concisely and in a straightforward way. Onyxia’s CPIs have adjustable SLAs (Service Level Agreements), a customizable and practical feature that allows you to make metrics personalized to your needs.

Book a demo of the award-winning Onyxia Cybersecurity Management Platform today!

Book a Demo