In essence, a KPI is a way of measuring the success or failure of a goal, a means of providing information on which decisions can be based. Goals in other business units are often clearly defined; for example, the marketing unit may have the goal of increasing web traffic by 20% over the next year ( SMART Goals ). While cybersecurity operations may have similar objectives, most cybersecurity operations objectives are less finite. Most cybersecurity operations objectives focus more on positive or negative trends over time than on achieving a specific objective.
Much of the process of cybersecurity operations focuses on data analysis and the identification of patterns and trends. Suitable for tactical functions of cybersecurity operations, which look for attack patterns and trends of malicious activity, as well as for strategic functions of security operations, which identify gaps in strategic plans and make long-term decisions. Quality KPIs serve as enablers and controllers of the strategic cybersecurity plan as continuous improvement.
The threat landscape is a dynamic and constantly changing environment, causing KPIs to help ensure that cybersecurity operations programs continue to be effective and that any deviations in processor technology are adequately addressed.
What KPSI should we measure?
When choosing the KPSI to measure, quality must be valued above quantity.
Each KPI must have meaning for the organization and add value to the cybersecurity program.
There are many different methods to evaluate the effectiveness of a KPSI, but in my opinion, it is, and as we have advanced before, each KPSI should be:
- (S) SIMPLE: KPIs shouldn’t be too complicated to measure. It should be clear what the purpose of each KPI is and how the cybersecurity program impacts.
- (M) MEASURABLE: A KPSI must be measurable in some way, quantitatively or qualitatively. The method by which each KPSI is measured must be clearly defined and consistent.
- (A) ACTIONABLE: KPIs should be used as drivers for decision making. The purpose of a KPSI is to measure performance and, if necessary, take action based on results. A KPSI that is not actionable has little or no purpose.
- (R) RELEVANT: Each KPSI must be a measure of the function being evaluated. In this case, the strategic cybersecurity program/plan. KPIs that are simple, measurable, and actionable, but are not relevant to the function being evaluated will be of little value.
- (T) TIME-BASED: KPIs can and should be used to show changes over time. An effective KPSI should be able to be collected and grouped over various time intervals to show variations and patterns.
The KPSI SMART will be different for each organization, it is simply not possible to create a unique “type” list of KPSI (although we will see something, as a starting point). However, it is possible to consider the components of a successful cybersecurity operations program that must be evaluated using KPSI.