5 examples of indicators to include in your SSI dashboard

Share

The SSI dash board is anessential management tool for CISOs. Whether it's used for operational, coordination or strategic purposes, it enables you to visualize the state of information system security and measure the gap between the company's ISSP (information system security policy) and the reality on the ground.

Your information system is constantly evolving, and as CISO you need to make quick, well-informed decisions. This raises a number of questions.

  • Do you have the right indicators to do this?
  • Is your data relevant, objective and understandable?
  • Have you integrated all the equipment on your infrastructure?
  • Do you have the right indicators in front of you to make decisions about your company's security?

In this article, discover 5 examples of performance indicators to include in your SSI dashboard.

What is an SSI performance indicator?

To begin with, let's agree on the concept of an indicator. According to ANSSI, a performance indicator (or KPI, Key Performance Indicator) is " statistical data combining the measurement of one or more key points and used in comparison with a history, target value(s) and/or threshold value (s)". In simpler terms, performance indicators enable you to track the evolution of an activity or the results of actions based on historical data. Through comparisons and thresholds, it provides a decision-making tool for CISOs.

SSI indicators are generally derived from the ISSP (Information Systems Security Policy) set up within the organization. In particular, they track security objectives related to :

  • a risk analysis ;
  • safety actions based on an action plan ;
  • legal obligations or compliance with standards and certifications.

Each company defines its KPIs according to its needs, objectives and resources, to measure the effectiveness of IS security.

"To make informed decisions, it's essential to choose the right SSI indicators. And beyond that, it's the visualization of this KPI that should enable the CISO to appreciate the situation at a glance."  
Baptiste David, - Head of PreSales & Delivery, Tenacy

Indicators provide CISOs with a multi-level view.

  • At a strategic level, indicators are used to monitor the application of ISSP.
  • In terms of management, they enable, according to ANSSI, "the achievement of objectives to be monitored and quality of service to be improved ".
  • On the operational side, performance indicators enable us to measure production status, requirements and the technical resources to be deployed.

In his performance chart, the CISO visualizes the status of his information system in summary form. This is a vital tool for presenting the situation clearly to management and operational teams alike. The aim of a key SSI performance indicator is to facilitate decision-making at all levels.

  • 1. Deployment rate of security patches and fixes by application

    The first of the key indicators on this list concerns the vulnerability of your IT assets. Patch management involves searching for software and operating systems on workstations and servers that have not been updated.

    In the face of increasing cyber attacks, it's imperative to minimize the risk of security flaws and vulnerabilities on one's information system. In 2017, the WannaCry ransomware had exploited a security flaw in the Microsoft Windows SMB v1 protocol and infected more than 250,000 systems worldwide. That's why keeping an up-to-date IT estate is paramount for CISOs and their companies.

    Everyone is aware of the stakes - but are you up to date with patching? Are they supported by your equipment? By monitoring a vulnerability indicator such as the rate of deployment of security patches and/or fixes per application, you can take a true measure of the state of your IT assets. By monitoring this data over time, you can take the necessary decisions to reduce the risk of cyber-attacks via unpatched security flaws.

  • 2. The volume of activity of your BDU agents on the computer park

    The second metric to track in a dashboard dedicated to the security of your IT system concerns workstation protection. With the advent of EDR agents, security teams now have access to a set of logs and alerts for each workstation. When analyzing the protection coverage of your EDR agents, you may be surprised to discover the actual number of missing, obsolete and misconfigured installations.

    Agent threat volume monitoring also enables you to target the teams targeted by cybercriminals in your company more effectively, and thus take corrective action.

    Did you know that 380,000 new malicious files[1] are registered every day? Ransomware attacks, fileless malware, hijacked RDP access, lateral displacement... many threats target workstations.

    By analyzing the activity of your EDR agents, you can react in the event of an attack on one of your machines, and avoid paralyzing your infrastructure.

  • 3. The volume of processes launched by a super administrator

    The third key indicator concerns the measurement of privileged access. System administrators are a prime target for cyber attackers, as they enable access to and management of IT resources. According to CyberArk, a company specializing in Privileged Access Management (PAM), 79% of companies have suffered an identity-related breach in the last two years.

    So who's the administrator of what? Carry out periodic reviews of privileged accounts and monitor the volume of processes launched with the root user. You'll then be able to keep track of activity while avoiding leaving any entry points for hackers.

    Knowledge of this indicator helps to assess IS security and risk levels. It can be used toanalyze the justification for access, and to rectify risky situations by removing inappropriate or obsolete access.

  • 4. Connection volume per MFA

    A fourth essential metric for CISOs to manage IS security is to measure connection security. Activatingmulti-factor authentication or MFA (also known as dual authentication, 2FA) is a key measure for protecting users' network access.

    To access an application, online account or VPN, the user must present at least two identity verification factors. Once the user has entered his or her login and password, access remains locked, and requires the entry of a secondOne-Time Password (OTP) received via a second e-mail box, SMS or via an application that generates one-time codes, such as Google Authenticator, Microsoft Authenticator and Twilio Authy. Identification factors can also be biometric, using fingerprint, retinal or facial recognition.

     

    "In the age of Office 365 and the all-cloud, people need to use multi-factor authentication. It's no longer an option for corporate cybersecurity! In Europe, it's even mandatory to offer dual authentication in the banking sector. CISOs need to be able to monitor this leading indicator and its evolution in order to take the appropriate decisions for their company's security."

    Baptiste David, Head of PreSales & Delivery, Tenacy

     

    Controlling the connection rate by MFA ensures that access to applications, especially the most critical ones, is secure.

  • 5. Employees training levels

    The fifth KPI concerns measuring the level of employee training in cyber risks. According to a study by U-Secure, an expert in user awareness of cyber attacks, 85% of data breaches involve the human element. The need to raise user awareness is no longer in doubt.

    But how can you ensure that your employees have really become aware of the dangers, and not just listened distractedly during the latest cyber training course? If you track the participation rate in cyber risk and threat awareness training courses, are you sure you're tracking the right indicator? Would an excellent rate be a guarantee of good reflexes on the part of users in the event of an attack?

     

    "It's not enough to say 'I'm raising awareness' today. We need to measure this performance. And that's exactly what the Tenacy platform makes possible."

    Baptiste David, Head of PreSales & Delivery, Tenacy,

     

    Instead, measure your users' click-through rate during a fake phishing campaign! The higher your rate, the greater your efforts to raise awareness among your staff. You'll have the visibility you need to implement new preventive actions. By tracking the evolution of this click-through rate, you'll have the real measure of your users' awareness, and therefore the measure of your performance!

As you've seen from this article, defining relevant indicators is essential to gaining a clear picture of your IS security. Your next step, and not the least important one, will be to determine how you can easily retrieve and aggregate your data. Choosing indicators, setting them up, monitoring performance... To help you, Tenacy provides you with customized SSI dash boards based on relevant, measurable indicators. Opening your eyes is the first step to protecting yourself!

[1] Kaspersky, 2021