One thing has humans that we hate to happen to us is to be judged by others, whether it is in our personal or professional lives. We always want to feel good around the people with are with, but unfortunately, it is a part of life where we will be judged.
Such is the case in Cybersecurity. This field has a lot of metrics with it, and in fact, I wrote and published a book on this topic last year. In my book, I cover the major Key Performance Indicators (KPIs) and other metrics that an organization’s CISO and IT Security team need to be aware of. Two of them are of prime importance:
- The Mean Time to Detect (MTTD): The MTTD reflects how long it takes an IT Security team to detect that a threat or security breach is actually happening. Believe it or not, the average time for detection is a staggering 7 months. Nobody really has a firm answer to why it takes so long, either the IT Security team is too overwhelmed putting out other fires, or the Cyberattacker has become stealthier and more covert.
- The Mean Time to Respond (MTTR): This metric reflects how long it takes an IT Security team to contain an actual breach. There are no hard numbers on this one (as is the case with the MTTD), but the total time for containment will vary depending upon the severity of the threat variant itself. In this instance, documents such as the Incident Response, Disaster Recovery, and Business Continuity Plans are of prime importance.
But many Cyber pundits now claim that these established metrics are now outdated and stale. They do not consider other variables, such as Generative AI, that can impact detection and containment. As I have also written about previously, Generative AI can be used for both good and bad purposes.
At this point, you may ask, “So what comes next?” Here are some thoughts about that:
Priority: Many people have pointed out that the MTTR and the MTD cannot be blanket metrics that are used for every type of security breach that occurs. Rather, these metrics must be adjusted to consider the following:
- Exploitability
- Impact
- The sources that were used to detect/contain the threat.
In other words, the degree of potential severity (or actual severity, if a security breach has occurred) needs to be the key factor taken into consideration, when calculating these two metrics.
Monitoring: A metric needs to be formulated which shows that, although a security breach has been detected, how long it takes the IT Security team to contain it. True, this sounds just like the MTTR, but in this case, this is just a static number. It only reflects having the entire breach being put out. This new metric would show how long containment takes on a real time basis.
Practice: To the best of my knowledge, the metrics that exist in the Cyber world today are used primarily for real world situations. How about creating a metric or a group of metrics that gauge the effectiveness of both the CISO and the IT Security team when conducting mock Cyberattacks? There is a lot of talk about doing mock Cyberattacks but not measuring the results at the end. In my opinion, there should be a strong emphasis on measuring the end result, as doing so will home in on the IT Security team to sharpen their skills and response times when an actual breach occurs.
Culture: The sad truth is that we live in a reactive society. We only act when something bad happens. Therefore, there have been calls to create a new metric or group of metrics that reflect the overall proactiveness of the IT Security team on a real-time basis, and how that has led them to be successful (or not) in detecting and containing a security breach. It is particularly important to keep in mind that this would be a qualitative metric to calculate, and more subjective variables must be included here as well.
After the threat is contained
It’s true that the MTTR shows how long it takes for the IT Security team to contain the threat variant. But what happens beyond that? For example, how long does it take to restore mission critical business operations? How long does it take for the business to get back to the operational level it was at before the security breach hit? Some potential metrics here could revolve around both Disaster Recovery and Business Continuity.
My Thoughts on This
Personally, I do not like metrics, but in this case, I fully support them as they relate to Cybersecurity. This is the only way that we will truly know if a CISO and their IT Security team are doing their jobs to the best levels possible. In the end, having good metrics not only will bring a strong reputational image in the eyes of the public, but it can also serve as the “make or break” factor if money and budget are to be approved by the C-Suite for any kind of Cybersecurity efforts to be undertaken into the future.
Sources/References:
Generative AI: Phishing and Cybersecurity Metrics
Ravi Das is an Intermediate Technical Writer for a large IT Services Provider based in South Dakota. He also has his own freelance business through Technical Writing Consulting, Inc.
He holds the Certified In Cybersecurity certificate from the ISC(2).
