When reporting to the board, a CISO must translate risk into identifiable terms to present key findings and ensure that all cybersecurity initiatives are aligned with business objectives.
Cyber risk mitigation expenditures help translate risk into potential additional profit.
Although CISOs and board directors should be aligned, they are oftentimes cosmic universes apart. One reason is that most board members do not have sufficient cybersecurity experience if any at all. This is where the misalignment typically begins.
A recent study found that only 29% of CISOs said their board includes at least one member with cybersecurity expertise. This makes it increasingly difficult for a CISO to relate organizational risk appetite during a lengthy board presentation. If the CISO doesn’t receive support from the CEO or C-suite, the odds of receiving sufficient cybersecurity funding diminish greatly.
There is an easier way to translate risk into profit. The solution? Business-defined cybersecurity KPIs. These KPIs serve as actionable benchmarks that can be measured and conveyed in quantifiable ROI terms that every board director can understand.
Let’s face it, the board holds a CISO accountable for ensuring the security of the entire organization. The question then is whether their existing cybersecurity solutions and investments yield a positive ROI or if the organization’s defenses are at risk for a major ransomware attack. Cybersecurity KPIs help address those questions in relatable terms with actionable data that everyone can understand.
13 Business-Related Cybersecurity KPIs and How to Measure Them Efficiently
Here are 13 business-related cybersecurity KPIs that can be benchmarked and measured for success.
|
KPI |
Definition | Benchmark |
| Cybersecurity ROI | Measures the cost-benefit ratio of cybersecurity investments | Compare cost savings from prevented breaches or reduced downtime, data leakage, legal fees/reputational damages incurred during a security incident, and other associated damages |
| Cost per Incident | The average total cost incurred for each security incident | Cost savings from incident response time, IT support tickets, and estimated legal fees, and compare it to the previous year |
| Security Incidents per Month/Quarter | The number of security incidents reported within a specified timeframe | Aim to reduce several major incidents per quarter (ransomware, phishing attacks, etc.) |
| Mean Time to Detect (MTTD) | The average time it takes to identify a security incident | Set a benchmark of 24 hours (the first hour is the most crucial) |
| Mean Time to Contain (MTTC) | The average time required to contain a detected security incident | Aim for 2-4 hours (depending on the scope of incident) |
| Mean Time to Respond (MTTR) | The average time taken from the detection of an incident to mitigation efforts | Aim for 24 hours for high-risk incidents (factor in planning and incident response team time which varies based on organizations) |
| Incident Response Time | Measures the effectiveness of identifying and mitigating security incidents | Critical incidents should receive top priority and be compared to the previous quarter |
| Vulnerability Detection Rate | Describes the percentage of known vulnerabilities that are detected within a specific timeframe | Prioritize mitigation of business-critical vulnerabilities. Aim for a 20% benchmark over the previous month |
| Compliance Rate | Describes the percentage of security protocols and policies implemented within the organization, such as ISO 27001 or PCI-DSS. The compliance rate can be measured in terms of completed audits | A good benchmark is between 90-95% audit completion |
| MFA Coverage | The percentage of user accounts, systems, or endpoints that are secured with multi-factor authentication | 95% coverage for privileged user accounts. Ensure BYOD policies are enforced for remote access and benchmark QoQ |
| Security Training Completion Rate | The percentage of employees who have completed mandatory cybersecurity awareness training | Set a realistic target of an 80% completion rate and incentivize employees through gamification and leadership awards |
| Number of Critical Vulnerabilities Discovered | The percentage of business-critical vulnerabilities as defined by scoring systems (CVSS) | Compare the number of mitigated high-risk vulnerabilities YoY and set targets during Q4 for the following fiscal year |
| Open vs. Closed Vulnerabilities | Open vs. Closed Vulnerabilities: Monitors the number of known vulnerabilities that have been closed (resolved) versus those still open (unresolved) | Set a target of 90% of high-risk vulnerabilities within 20 days. Compare results QoQ |
Start with those KPIs and benchmarks. Adjust accordingly.
Identify and mitigate business-critical risks and demonstrate clear returns with a Holistic Cybersecurity Risk Assessment. Maximize the effectiveness of your cybersecurity plan by demonstrating risk in quantifiable terms that everyone can understand. Enter your next board meeting with confidence. Make more data-driven mitigation decisions that translate into a positive ROI with HolistiCyber.
Unsure of which KPIs to begin with? HolistiCyber can help you choose the right cybersecurity KPIs and efficiently measure them over time. Defend what matters most to your organization. Keep your business-critical assets safe while translating risk into tangible results for your next board presentation.
Get the cyber defense plan your organization needs. Let’s talk
