|
|
| Line 1: |
Line 1: |
| [[File:Opsview Monitor 6.0 Dashboard.jpg|right|440px]]Your cybersecurity goals are formulated, their associated objectives are set, and security controls are selected. But how should you best measure their implementation, and over what sort of timeline should they be measured? This is where performance indicators come into play. A performance indicator is "an item of information collected at regular intervals to track the performance of a system."<ref name="Fitz-GibbonPerformance90">{{cite book |url=https://books.google.com/books?id=uxK0MUHeiI4C&pg=PA1 |title=Performance Indicators |editor=Fitz-Gibbon, C.T. |publisher=Multilingual Matters Ltd |page=1 |year=1990 |isbn=1853590932}}</ref> They tend not to be perfect measures of performance, but performance indicators remain an important function of quality control and business management. There's also a social aspect to performance indicators: what is the implied message and behavioral implications of implementing such a monitoring system? Does the monitoring of the indicator, in the end, have a beneficial impact?<ref name="Fitz-GibbonPerformance90" /> | | [[File:Cybersecurity Strategy 5 Layer CS5L.png|right|450px]] |
| | |
| Regardless of what industry you work in, deciding on the most appropriate indicators is no easy task. In March 2019, Axio CTO Jason Christopher spoke at a cybersecurity summit about security metrics (a metric is typically a number-based measurement within an indicator), with a focus on the energy industry. During that talk, he discussed various myths concerning collecting metric data for indicators, as well as the mixed success of tools such as heat maps and scorecards. After highlighting the difficulties, he gave a few pieces of useful advice. Among the more interesting suggestions he turned to was a security metrics worksheet to better define, understand, and track what you'll measure for your indicators. In his example, he used the EPRI's (Electric Power Research Institute) ''Cyber Security Metrics for the Electric Sector'' document, pulling an example metric and explaining how it was created. Among other aspects, their worksheet format includes an identifier for the metric, the associated organizational goal, and the associated cybersecurity control, which helps ensure the metric is aligned with organizational policy, existing terminology, and current best practices.<ref name="ChristopherCreating19">{{cite web |url=https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf |archiveurl=https://web.archive.org/web/20190926033850/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf |format=PDF |title=Creating a Security Metrics Program: How to Measure Success |author=Christopher, J.D. |publisher=Axio |date=18 March 2019 |archivedate=26 September 2019 |accessdate=23 July 2020}}</ref><ref name="EPRICyber17">{{cite web |url=https://www.epri.com/#/pages/product/3002010426 |title=Cyber Security Metrics for the Electric Sector: Volume 3 |author=EPRI |date=18 December 2017 |accessdate=23 July 2020}}</ref>
| |
| | |
| Regardless of industry, you may find it useful to use similar worksheet documentation for the indicators you choose to use. Unfortunately, unlike the energy industry, many industries don't have a developed set of technical cybersecurity metrics. However, the ground that EPRI has already covered, plus insights gained during the security controls selection process (see 5.3.10), should aid you in choosing the most appropriate indicators. (An archived version of Jason Christopher's description of the fields on the security metrics worksheet can be found [https://web.archive.org/web/20190926033850/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1552942066.pdf here] [PDF]. The EPRI cybersecurity metrics document can be downloaded for free at [https://www.epri.com/#/pages/product/3002010426/?lang=en-US EPRI.com].) Whatever indicators you choose, be sure they are specific, measurable, actionable, relevant, and focused on a timely nature. In particular, keep the time frame of cybersecurity strategy development and implementation in mind when choosing indicators. If you expect full implementation to take three years but choose indicators outside that time frame, those indicators won't be actionable or timely.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=23 July 2020}}</ref>
| |
| | |
| Finally, consider the advice of author and strategic adviser Bernard Marr that business shouldn't be run heavily on performance indicator data. This goes for the development of your indicators for cybersecurity success. Instead, he says, "the focus should be on selecting a robust set of value-adding indicators that serve as the beginning of a rich performance discussion focused on the delivery of your strategy." He continues with a reminder that real people and their actions are behind the indicators, which shouldn't be taken purely at face value.<ref name="MarrKey12">{{cite book |url=https://books.google.com/books?id=WleQ-F6WC3sC&printsec=frontcover |chapter=Introduction |title=Key Performance Indicators (KPI): The 75 Measures Every Manager Needs to Know |author=Marr, B. |publisher=Pearson UK |year=2012 |page=xxvii |isbn=9780273750116}}</ref>
| |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
