IT World Canada


Yogi Schulz

Published: July 3rd, 2015


Every day businesses are forced to spend increasing amounts of precious management time and resources on cybersecurity as data breaches, threats and risks keep piling up. CIOs are asking senior management to spend more and more on risk assessment, incident management, consultants, specialized intrusion detection software and fancy, pricey network hardware.

Senior management is rightly asking: When will this investment end? How much is enough? Am I still at risk of a high-profile disaster, like Sony, occurring on my watch? CIOs can’t answer these questions meaningfully without some data from cybersecurity Key Performance Indicators (KPIs). However, CIOs struggle to identify, design, operate and report on meaningful KPIs.

Here’s a list of resources that will help you quickly define cybersecurity KPIs that are likely to be meaningful for your organization. These resources have been developed through the collaboration of many cybersecurity experts and practitioners. By using one of these resources you will have the assurance that your KPIs are reasonably comprehensive and that you don’t have glaring cybersecurity holes not covered by KPIs. The KPIs can be tracked and reported on easily.

A Taxonomy of Operational Cyber Security Risks Version 2

This Taxonomy of Operational Cyber Security Risks identifies and organizes the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements.

You can use this taxonomy to quickly identify KPIs that are meaningful to your organization. You can then regularly report KPI statuses to management within the four, easy-to-understand classes.

Cybersecurity Self-Assessment Guidance

This Self-Assessment Guide takes a check list approach to evaluating cybersecurity readiness. While focused on Canadian federally regulated financial institutions (FRFIs), the self-assessment contains many good questions that any organization will find worth asking.

You can easily adapt this self-assessment to your organization and then quickly answer it quarterly. Now you have a basis for reporting cybersecurity progress or deterioration to your management.

The United States NIST Cybersecurity Framework

The NIST Cybersecurity Framework is broken into four elements: (1) Functions that organize security activities at their highest level, (2) Categories that subdivide functions into cybersecurity outcomes, (3) Subcategories that divide categories into specific outcomes and management activities, (4) Informative References that illustrate methods to achieve the outcomes associated with each subcategory. The NIST cybersecurity framework also defines four tiers that characterize an organization’s cybersecurity capability.

You can use this substantial framework to identify KPIs that are meaningful to your organization. You can then regularly report cybersecurity status to management using a set of KPIs associated with the four elements and the four capability tiers.

Critical Security Controls for Effective Cyber Defense

The Critical Security Controls focus on prioritizing security functions that are effective through twenty cyber security controls that have demonstrated real world effectiveness. The controls approach challenges the usefulness of taxonomies and frameworks like those listed above.

You can use the twenty cyber security controls to identify KPIs that are meaningful to your organization. You can then regularly report status to management using KPIs associated with the twenty cybersecurity controls.

These resources will help you cost-effectively define, operate and report on meaningful cybersecurity KPIs.

Can you share any examples of cyber security KPIs that you found effective? Do you have any experience using these four resources that you can share?