CEO Digest | Strategic Insights for CEOs | NSI

Which Cyber Security KPIs Should Matter to a CEO?

Written by Derek Marin | Jun 5, 2019 1:56:14 PM

You know how business is doing at any given time. You got sales reports from last month and quarter, profit and loss statements by division and you probably track financial and operational ratios, too.

Key performance indicators (KPIs) help you make informed decisions, they drive you and your management team to take action, and they ultimately tell the story of your company's performance.

 

 

 

However, with more investment going towards cyber security and more of our business’ operations taking place in the cloud, it's critical that CEOs adopt a new set of KPIs that correlate to the digital age; security metrics to answer questions such as:

How effectively is my organization mitigating cyber security threats? What types of threats are being detected and blocked each month? Did we experience any downtime this month?

In this post we highlight 4 cyber security KPIs that NSI helps our CEO clients focus on and why they matter.

 

 

How Does Our Security Posture Compare to that of Our Peers?

Every business is different, but there are a number of commonalities across companies in the same industry and of similar size. These companies share similar profiles when it comes to regulatory compliance and exposure based on how they use technology. An industry benchmark gives a business an idea of how they’re doing compared to their nearest industry neighbors. It can also serve as a pre-warning system, identifying trends in cyber attacks that may not have impacted your business yet. This high-level, tailored report should give a senior executive an understanding of their company’s security posture at-a-glance.

 

 

How Are We Exposed and Are We Doing Anything About It?

Different security solutions protect different aspects of your technology, and this metric will provide a representation of how well your systems are protected. As an example, a firewall can protect against outside intruders accessing your network, but it doesn’t necessarily protect against viruses on your PCs. Antivirus software can protect those PCs, but may not protect against malicious emails. Understanding where the holes are allows you to determine exposure and then make decisions about it.

 


Did We Experience Any Cyber Incidents this Month and What was the Financial Impact?

Hopefully the answer is “no” but if a security event did take place, you need to know what happened and the financial impact. An attack against your customer portal might impact a customer’s ability to check on an order, or prevent a customer from submitting a timely order. In a worst case scenario, breach of your network would require a complete shutdown of your network until the issue is resolved. Understanding who or what was affected, and for how long, is an important metrics to know. Equally important, understanding how that incident translates into dollars. 


Patching Cadence

All software needs to be patched over time, but how often are we doing it? Depending on your software provider this activity can be predictable or unpredictable. As an example, Microsoft releases their software patches on the second Tuesday of every month, but smaller vendors release security updates reactively. Knowing how often patches are applied (or not applied, leaving security holes), and in certain instances, when patches are rolled back due to incompatibilities, is a good measurement for your level of exposure at any point in time.

 

 

Smaller companies without dedicated IT security staff can face challenges for monitoring and reporting on an ongoing basis. NSI Cyber Security Services in Connecticut has services for reporting on key cyber security metrics, in addition to complete managed security capabilities.

 

How Often Should Cyber Security KPIs be Reviewed?


For the CEO:

  • No less than quarterly. Measurable metrics with trend data, such as open security vulnerabilities, or how often malicious emails are getting through to employees, can be delivered monthly.
  • Reactive reporting on incidents actively impacting business, like website attacks or a security breach, should happen weekly or even daily depending on severity.

Board of Directors or Investors:

  • Provide a summary report of the CEO content to talk to them about twice a year. Topics should include cyber security trends in your specific industry, what the company is doing to address these trends, and how these actions tie back to mitigating risk as a company.

CEOs are measured on their ability to keep their company competitive, eliminate waste, and mitigate risk. Cyber security is a critical element to any successful business, and is a new metric by which businesses and their leaders are being measured. Know your business, know your cyber security exposure, and set yourself up for success.