Assessing your own cybersecurity performance
Assessing your organization'scyber performance is one of the keys to ensuring the protection of your IT assets and data (whether sensitive or not), as well as the trust of your customers and partners. But in concrete terms, what are we talking about? How can it be assessed?
The concept of cybersecurity performance
This concept refers to a company's ability to secure its IT environment and information systems against a multitude of constantly evolving cyber threats. This notion encompasses:
- the implementation of robust cybersecurity policies;
- the application of recognized security standards and benchmarks;
- Regular measurement of company performance using KPIs.
In this context, data collection allows us to project ourselves onto a standard or benchmark of some kind, and subsequently measure our performance. Each security policy corresponds to a score and/or regular actions to be carried out.
Baptiste David, Product Evangelist at Tenacy, reminds us that " saying you do it is not enough! To evaluate your performance, you need to incorporate the concept of operational control, with verification of recurring tasksand monitoring performance measurement using dashboards with KPIs from the company's cybersecurity platforms. "
What is a good indicator?
Let's start by distinguishing between:
- an activity indicator (which, according to Baptiste David, " is completely useless: it is a value that does not allow for any decision-making ");
- a performance indicator, which is a ratio highlighting the achievement of an objective.
For example, the number of people who click on a phishing campaign does not measure the effectiveness of employee awareness training. However, setting a goal such as having less than X% of people click on the link makes it possible to quantify performance and determine whether it is satisfactory or not.
Another example concerns measuring the performance of an organization's VIP awareness program (note that we are referring here to individuals at risk who may be targeted by attackers, not just senior management): the indicator " VIP participation in awareness workshops " can be used to calculate a compliance score based on company policies and standards.
Defining the right performance indicators is therefore the first step in the process of developing cybersecurity performance.
The need to monitor changes in indicators over time
Having the right KPIs is not enough. The second step in the process is to track their progress over time.
Performance indicators vary depending on many factors: technological changes, new threats, adjustments to security policies, etc. By tracking indicators over time, you can measure the impact of corrective actions and detect fluctuations and trends. This gives you insights into the strengths and weaknesses of your cybersecurity policy.
The importance of stakeholders
Performance evaluation cannot be done alone: as a CISO, you need the internal players in your company. Business managers, IT teams, and end users have specific knowledge and expertise; their involvement is therefore crucial to accessing the resources needed to evaluate your company's cybersecurity. You cannot find the information you need on your own!
compare your cybersecurity performance
Interpreting these KPIs is challenging, especially for members of your senior management team. It is therefore essential to establish a reference framework that allows them to easily understand your company's cyber performance and posture—and compare it to that of your competitors.
With this structured approach, cybersecurity decision-making will be informed and facilitated. But how can this be achieved?
Comparing yourself to others: impossible without the right tool
To compare your performance, you need an objective perspective on the market. You also need to avoid internal biases or beliefs that could distort the interpretation of indicators. Having an external perspective is therefore essential.
Using a benchmark allows you to compare yourself to similar organizations and measure your relative performance. It goes without saying that the choice of benchmark must be tailored to the size of your company and your industry: an SME cannot be compared to a CAC40 company, and the security constraints of a company in the banking sector differ from those of a manufacturing plant. Without the right tool, making such a comparison is impossible.
Good news: Tenacy offers a benchmark feature on its governance platform! You can now compare your compliance scores with public security policies and those of your peers (we want to reassure you right away that this data is completely anonymized, of course!).
Comparison to provide context and understand performance levels
Should you be satisfied with an 80% KPI? It is impossible to answer this question without context or points of comparison. A benchmark allows you to interpret results and comment on scores, particularly for those who are unfamiliar with the field or do not have a risk culture.
Being able to associate context and reference points with a performance indicator allows you to comment on it at a given moment and track its evolution over time.
By comparing yourself to similar companies, you gain a better understanding of your cybersecurity performance rate. And even if you (as CISO) have this contextual knowledge, it allows you to provide insights to non-experts such as your executive committee.
On this subject, Baptiste David points out that " understanding cybersecurity KPIs requires specific maturity and knowledge. The benchmark will be useful to the CISO, who has to discuss security with people who have no cyber knowledge or maturity, generally members of the executive committee. It will provide factual information to comment on the results and understand the concept of risk, which consists of saying: "Look, we're not doing well, while others are succeeding. The problem is us," andleading to informed decisions to remedy the problems."
Comparison to raise awareness of one's weaknesses
The comparison highlights potential gaps and weaknesses so that security measures can be strengthened. A company that performs worse than others on a particular item will be more vulnerable to attacks than others.
But beware of false beliefs: " Just because you have a good score doesn't mean you're safe," warns Baptiste David. Those with the worst scores, even with an indicator deemed "good," are at greater risk of attack than others. Conversely, just because you're the best doesn't mean you're safe. Certified and compliant companies can also be attacked. It's important to avoid a false sense of security. There is no such thing as zero risk."
Comparison to strengthen credibility and communicate more effectively
Comparing yourself to relevant benchmarks, such as companies similar to yours, strengthens your company's credibility in terms of cybersecurity.
By implementing action plans to improve your security level, you can track your indicators and assess whether you are successfully addressing your weaknesses. This comparison also makes it easier to communicate cyber issues to non-experts, demonstrating your commitment to continuously improving your company's performance in this area.
FINAL WORDS
As you can see, comparing performance will not eliminate risks, and you need to guard against the false sense of security that comes with your company's good compliance. But knowing where you stand in relation to others allows you to put your results and performance indicators into context.
Let's finish with a best practice tip from Baptiste David: " To make the comparison process worthwhile, do it with candid and transparency. Don't overestimate or underestimate yourself by saying, 'Since I'm going to be compared, I'll say I'm better' or 'On the contrary, to get additional budgets, I'll show that I'm not good.'"
