Question: What does the “P” in cybersecurity performance management mean? How do we measure performance?
Shirley Salzman, CEO and co-founder at SeeMetrics: Attributed to Greek philosopher Socrates, the aphorism “know thyself” reminds us that to comprehend the world around us, we must first understand ourselves. Similarly, in cybersecurity, a crucial first step to assessing is knowing ourselves — understanding not only our capabilities, but how effectively we’re applying them.
In theory, the cybersecurity performance management (CPM) model offers security leadership a simple way to know themselves — as well as to communicate and collaborate with peers and executives in a complex, siloed ecosystem.
In practice, there’s a hitch. How can a CISO create a streamlined performance narrative without a single source of truth? Today, CISOs need to rely on a complex web of narratives made up of disparate metrics, different contexts, and no single standard for measuring performance.
This makes getting answers to key questions nearly impossible: How are my security programs performing? How prepared are we for threats? Performance should be derived from a uniform set of measurements, metrics and KPIs. Yet currently, these simply don’t exist.
And this is what Socrates has to do with CPM. The “P” in CPM has become a central tenet in the CISO’s “know thyself” ethos, transforming CPM into a part of the day-to-day management toolkit. Because knowing is the first step to not only communicating, but also managing.
Breaking Down the P in CPM
In the spirit of “know thyself,” let’s break down “performance.” What do CISOs need to know? Performance comprises four key areas:
- Security programs: Enterprise security organizations manage multiple and diverse security programs. To measure the performance of each program, CISOs need to evaluate a range of metrics and KPIs that encompass people, technology, and processes. Yet within each program, a given metric is likely to have different characteristics.
- Threat assessment: CISOs need to measure their threat readiness by assessing the likelihood and potential damage of specific threats. In order to assess a threat, they need to define the measurements relevant for the threat vector, correlate data from various security programs, and ultimately evaluate readiness. Yet we still lack a uniform standard for measuring readiness.
- Control effectiveness: Security organizations have dozens of security products that provide hundreds of controls. Until recently, CISOs needed to just “check the box” confirming that they had controls in place. Today, they are expected to know how exactly controls were deployed and configured, not to mention their specific impact on overall performance.
- Customization: Security leaders need the flexibility to leverage measurements and metrics for a range of ad-hoc projects and policies. For example, if the organization is migrating from one EDR to another, they need to know how to track progress without impeding team efforts. Or, when onboarding a new vulnerabilities management team, they need to know how to track the team’s contribution.
Toward a Unified, Collaborative Security Organization
Security leaders need to leverage the P in CPM to build a more unified and collaborative security organization — sharing insights, defining more realistic goals, and tracking progress.
Just like Socrates urged us to know ourselves, it’s time for security leaders to rethink the role of performance. It’s no longer sufficient to report performance — it’s time to leverage it for better management, too. By focusing on the P in CPM, security leaders can markedly enhance both cybersecurity operations and overall security performance.
