adam's notes

Key Performance Indicators (KPIs)

  • measure progress toward goals
  • identify areas for improvement in operation
  • provide insight into effectiveness of cybersecurity programs
  • choose metrics that are easy to track and reflect goals and objectives
  • KPIs provide data by tracking metrics
  • allow for comparison of cybersecurity efforts
    • vs other orgs and industry averages
  • help determine if resources are required

Examples

  • KPIs to measure the effectiveness of cybersecurity efforts:
    • Incidents
    • Detection time
      • indicates average time it takes to detect incidents
      • use to track how incident response effort over time
      • compare detection time to industry averages
    • Indicators of Compromise (IoCs)
      • indicates the number of IoCs an org has in its systems, networks, etc.
      • can track over time to determine if IoCs are increasing your environment
    • Threats
      • indicates the number of threats an org has identified
    • Risk assessment
      • indicates risk assessment results
      • can compare risk assessments vs other orgs
    • Resource allocation
      • indicates the % of cybersecurity resources organizations allocate to different areas (e.g., prevention and detection)
      • can track over time to determine if appropriate resources are allocated

How to Measure KPIs

  • can be measured with:
    • manual system
      • require employees to enter data manually
    • automated system
      • record information by pulling data from various sources
  • can track using:
    • spreadsheets
    • databases
    • specialized platforms

Challenges of Using KPIs

  • Incidents can be subjective
    • can be challenging to determine the actual number of incidents
      • due to the subjective nature of classifying incidents
    • orgs can use different scales to assess each incident’s severity level
      • scales are generally not standardized\
  • False positives
    • automated tracking systems may record false positives
  • Inaccurate cybersecurity landscape data
    • can occur when organizations need more effective tools for capturing accurate data about current threats and trends
  • Irrelevant data
    • KPI data might not be relevant to the organization
  • KPI-based decision-making is complicated
    • use data analytics and advanced software tools to understand the data and make informed decisions

Service Level Objectives (SLOs)

Service level objectives (SLOs) provide a benchmark by which security operations can measure their performance and help ensure they meet leadership’s expectations.

  • must be measurable, achievable, and realistic
  • set targets that are attainable but also challenging enough to foster growth
  • should be flexible and adaptable

Graph View

Backlinks