Defining Cybersecurity Performance Management

Cybersecurity performance management is the process of understanding your cybersecurity program’s maturity mapped to top-level risks and the associated level of investments (people hours and capital) required to improve cyber security posture to adequate levels (goals) of the organization.

“The cybersecurity program should be run like a business within the business.”

Performance Management Revisited

Performance management is not a new concept. As our Board Advisor Steve Katz says, “The cybersecurity program should be run like a business within the business.”

Much of this definition applies when you look to improve understanding the cyber security posture of your organization. Questions that you will be asked include:

  1. How are we performing against our adopted control framework(s)?
  2. What is our current maturity level?
  3. Are we making adequate investments? If not, where do investments need to be increased and why?
  4. What is our ideal future run-rate investment on cyber security?
  5. How much risk will we have once our run-rate is achieved?

These and other questions will be asked by the CEO, CFO, and your Board of Directors, so it is important to have ready the business narrative describing your cyber security posture.

How Performance is Measured Today

Most cybersecurity teams today track performance based on either an annual or semi-annual third-party or internally-driven maturity assessment. Results provided are a snapshot with no tools to manage beyond the report – that is, the picture is a static snapshot.

Key components to cybersecurity performance management include the ability to measure maturity from a set of controls generally derived from common frameworks and regulations aimed at improving and governing cybersecurity posture. Measuring maturity of selected controls drives an understanding of cybersecurity program effectiveness and informs, when results are rolled up, executive leadership and Board of Directors in a way that is easily understood.

Tracking Performance Over Time

Common practices to track cybersecurity performance include using one or more spreadsheets with complex formulas for deriving progress. Unfortunately, many teams are faced with static results from third-party assessments and need to take these results and put them into an action plan. Progress is measured based on best-guesses which leaves a lot of room for error. In addition, the level of effort to track progress over time taxes the already overburdened cyber security team. Such an approach becomes unsustainable or too expensive to continue. This leads to the need for automation to reduce effort and improve performance tracking.

Automating Cybersecurity Performance Management

Automating a process is worth doing when it reduces time needed for repetitive tasks and increases the fidelity of the process. The same holds true with cybersecurity performance. Imagine being able to repetitively produce reports that management understands and then having confidence in your reports while presenting the data to management.

Innovative security leaders are beginning to explore methods to automate their cybersecurity performance and create transparency and accountability across diversified teams. Automation holds the promise to reduce the manual burden while creating an audit trail of any changes to the cybersecurity performance.

Further, automating measurement of performance based on maturity and compared to risks provides the framework for your business narrative. Your story will provide a picture of your cybersecurity performance colored by your business investments and staff efforts to secure your organization and its cyber assets.

Board Reporting

Another key element of cybersecurity performance management is the ability to automatically generate dashboards with dynamic data visualization that the Board, the executive team, and the security ops team can all get value from. These dashboards, analytics, and reports should communicate where the organization is in its maturity, what the desired goals are, and what it will cost to close the maturity gap.