Since many businesses, particularly small and mid-sized ones, continue to face multiple challenges with cybersecurity (like dealing with a shortage of cybersecurity experts and budget restraints that hold company’s back from taking even the smallest steps towards cybersecurity), a list of infosec metrics that can allow you to identify where you stand with cybersecurity can be of great assistance.
When it comes to metrics, information security has many that CIOs use; and CEOs too, if they have done some digging around on the topic or have been exposed to some type of cybersecurity training for their company’s benefit (maybe a seminar or a consultation with a security expert). However, like many metrics, some are more useful than others.
With this in mind, we want to share three of infosec metrics to track cybersecurity that aren’t very typical, but that are very useful to use (in a business sense). This will make it easy for a CEO (without or with a CIO) to know how to measure their cybersecurity efforts, what to look for that can be improved, and why the infosec metrics are important to the success of the business.
ROI (return on investment) cybersecurity tools, tech, investments
The same way you evaluate the investments you make with your yearly budget spend; you want to take into consideration for cybersecurity. What this means is checking to see if the tools, technology, and potential external consultations that you’ve invested in so far have been working the way you need them to and have brought you closer to being in a place where you feel at least somewhat prepared if breach took place.
Even if you don’t have an infosec department, you do have the list of every anti-virus and software you’re using to warn you of potential dangers and vulnerabilities to the network and within your organization. If for example, your antivirus sends you too many false-positives or is being ignored for patching and software updates, you may want to reconsider your options. Another example is if you haven’t revisited or applied that business continuity plan (BCP) you organized with the security team and/or outside consultant. You may not have to spend for a new BCP, but you should be able to take it out, revisit it and implement it so that your money didn’t go wasted.
Knowing the potential cost of a security incident for your business
Even though costs are not what lead to holistic cybersecurity, actually, they are usually an impediment, what is valuable for a business in a cybersecurity sense is to be prepared for potential costs that come with incidents. The average cost per piece of data breached is shared with the community at large every year. We personally, update the blog with the studies that come out from time to time with these numbers.
Being prepared for breach to stay in business means knowing how much data you have, what type of data that is, and what fines and/or costs take place if the data were accessed. Your financial department can do this, the same way they perform a cost analysis. Your cybersecurity insurance company could possibly help in that area as well. But most importantly, you want to take into consideration something like this for the unexpected because it is the only way you can hope to be prepared when the time comes, no matter how large or small the security incident may be.
Have a detailed list on who has access to what data and to what extent
A list of employees, executives, management, and everyone who works within the company, is something your human resources department most likely has handy. With such a list, it doesn’t take much to organize what areas of access to the network, data, and software every member has throughout the organization. Then, knowing what type of information is included in these areas, both client information and employee information is important. You want to track the level of permissions everyone has to the cloud and network, even your IT personnel and executive team since it’s not a sure thing that they won’t fall for a phishing scam.
Accompanied to the level of access (to what and to what extent), you want to also have clearly detailed what security measures are in place to prevent data leaks and/or information from being taken by an outsider. If for example, it’s only your anti-virus and patching updates to software and tech, at least you know this is what needs to work effectively and stay up to date to render your business the least vulnerable possible with the means available to you.
Although not your typical idea of metrics, these three ways to measure cybersecurity areas and where they stand are useful to both a CIO and/or CEO implementation and review wise. As a CIO, you can present these infosec metrics to the board and executive team and enable them to see the value of what is being done cybersecurity wise, as well as what can be done to make any improvements necessary. As a CEO, you can also implement and see value immediately because they are not metrics in that tech language that doesn’t really translate well to business talk.
Security incidents are never guaranteed not to take place; even for those companies that do everything they can to implement a holistic cybersecurity posture. This doesn’t mean discounting effective cybersecurity; it means taking the steps necessary to get your business there, to defend with what you can, and get the business to a place where it can finally meet a holistic and proactive risk management process.
Cybersecurity isn’t something businesses can do without anymore. It’s been this way for a long time, and one could argue that it’s been this way since the first digital asset was used in business operations. However, today, it’s known worldwide, and there are also laws in place to ensure companies take the proper measures to protect their customers and their business (compliance for privacy and security).
These three infosec metrics are meant to help translate cybersecurity in a way that shows you how to measure and implement more throughout your business, in a business operational sense, with a focus on risk management and securing the company’s data, network, and people.
If you need assistance, you always have NCX Group and our security experts to turn to.
Photo courtesy of alexskopje