March 4th, 2019
Defining Cyber Security Performance Management
Cyber security performance management is the process of understanding your security program’s maturity mapped to top-level risks and the associated level of investments (people hours and capital) required to improve cyber security posture to adequate levels (goals) of the organization.
Performance Management Revisited
Performance management is not a new concept. As our Board Advisor Steve Katz says, “The security program should be run like a business within the business.”
The Cambridge Dictionary defines performance management as:
Much of this definition applies when you look to improve understanding the cyber security posture of your organization. Questions that you will be asked include:
- How are we performing against our adopted control framework?
- What is our current maturity level?
- Are we making adequate investments? If not, where do investments need to be increased and why?
- What is our ideal future run-rate investment on cyber security?
- How much risk will we have once our run-rate is achieved?
These and other questions will be asked by the CEO, CFO or your Board of Directors, so it is important to have ready the business narrative describing your cyber security posture.
How Performance is Measured Today
Most cyber security teams today track performance based on either an annual or twice annual third-party maturity or internally-driven assessment. Results provided are a snapshot with no tools to manage beyond the report – that is, the picture is a static snapshot. Key components to cyber security performance management include the ability to measure maturity from a set of controls generally derived from common frameworks and regulations aimed at improving and governing cyber security posture. Measuring maturity of selected controls drives an understanding of cyber security program effectiveness and informs, when results are rolled up, executive leadership and Board of Directors in a way that is easily understood.
Tracking Performance Over Time
Common practices to track cyber security performance include using one or more spreadsheets with complex formulas for deriving progress. Unfortunately, many teams are faced with static results from third-party assessments and need to take these results and put them into an action plan. Progress is measured based on best-guesses which leaves much room for error. In addition, the level of effort to track progress over time taxes the already overburdened cyber security workforce. Such an approach oftentimes becomes unsustainable or too expensive to continue. This leads to the need for automation to reduce effort and improve performance tracking.
Automating Cyber Security Performance
Automating a process is worth doing when it reduces time needed for repetitive tasks and increases the fidelity of the process. The same holds true with cyber security performance. Imagine being able to repetitively produce reports that management understands and then having confidence in your reports while presenting the data to management. A number of innovative security leaders are beginning to explore methods to automate their cyber security performance and create transparency and accountability across diversified teams. Automation holds the promise to reduce the manual burden while creating an audit trail of any changes to the cyber security performance. Further, automating measurement of performance based on maturity and compared to risks provides the framework for your business narrative. Your story will provide a picture of your cybersecurity performance colored by your business investments and staff efforts to secure your organization and its cyber assets.
To explore this topic in more detail, I encourage you to schedule a short meeting for reviewing industry use cases for automating cyber security performance.