The New Cyber Metrics We Need Today: 5 Golden Ones

 

I usually do not write blogs over the week but today is an exception.  It’s a holiday today where I work at today, so in that regard, Happy Easter!!!  One thing has humans that we hate to happen to us is to be judged by others, whether it is in our personal or professional lives.  We always want to feel good around the people with are with, but unfortunately, it is a part of life where we will be judged.

Such is the case in Cybersecurity.  This field has a lot of metrics with it, and in fact, I just wrote and published a book about it just last year.  You can see it in more detail at this link:

https://www.routledge.com/Generative-AI-Phishing-And-Cybersecurity-Metrics/Das/p/book/9781032820965

In it, I cover the major Key Performance Indicators (KPIs) and other metrics that the CISO and their IT Security team need to be aware of.  There are two of them, which are of prime importance:

1)     The Mean Time to Detect:

This is also referred to as the “MTTD”.  This reflects how long it takes an IT Security to detect that a threat or security breach is actually happening.  Believe it or not, the average time  for detection is a staggering 7 months.  Nobody really has a firm answer to why it takes so long, either the IT Security team is too overwhelmed putting out other fires, or the Cyberattacker has become  that stealthy and covert.

2)     The Mean Time to Respond:

This is also commonly known as the “MTTR”.  This metric reflects how long it takes an IT Security team to contain actual breach.  There are no hard numbers on this one (as is the case with the MTTD), but the total time for containment will vary depending upon the severity of the threat variant itself.  In this instance, documents such as the Incident Response, Disaster Recovery, and Business Continuity Plans come into prime importance.

But many Cyber pundits are now claiming that these established metrics are now too outdated and stale.  Meaning, they do not consider other variables that can impact detection and containment, such as that of Generative AI.  As I have also written about previously, it can be used for both the good and bad.  So, you may be asking at this point:  “So what next is to come?”  Here are some thoughts that have echoed, as a result:

1)     Priority:

Many people have pointed out that, for example, the MTTR and the MTD cannot be blanket metrics that are used for every kind and type of security breach that happens.  Rather, these metrics must be adjusted to consider the following:

Ø  Exploitability

Ø  Impact

Ø  The sources that were used to detect/contain the threat.

 

In other words, the degree of potential severity (or actual severity if the security breach has occurred) needs to be the key factor here to take into consideration, when calculating these two metrics.

2)     Monitoring:

A metric needs to be formulated which shows that although a security breach has been detected, how long it takes the IT Security team to contain it.  True, this sounds just like the MTTR, but in this case, this is just a static number.  It only reflects only having the entire breach has been put out. This new metric would show long containment takes on a real time basis. 

3)     Practice:

To the best of my knowledge, the metrics that exist in the Cyber world today are used primarily for real world situations.  How about creating a metric or a group of metrics that gauge the effectiveness of both the CISO and the IT Security team when conducting mock Cyberattacks?  Everybody seems to keep talking about doing them but not measuring the results of it at the end.  In my opinion, there should be a strong emphasis on this, as having this in mind of measure will only home in on the IT Security to sharpen their skills and response times when an actual breach happens.

4)     Culture:

 

The sad matter of fact is that we live in a reactive society.  We only act when something  bad happens.  Therefore, there have been calls to create a new metric or group of metrics that reflect the overall proactiveness of the IT Security team on a real-time basis, and how that has led them to be successful (or not) in  the detection and containment of a security breach.  But, it is particularly important to keep in mind that this would be a qualitative metric to calculate, as more subjective variables must be included here as well.

 

5)     After:

Yes, the MTTR shows how long it takes for the IT Security team to contain the threat var. t.  But what afterwards?  Such as how long does it take to restore mission critical business operation?  How long does it take for the business to get back to where the levels it was before the security breach hit?  Some potential metrics here could revolve around both Disaster Recovery and Business Continuity. 

My Thoughts on This:

Me personally, I do not like metrics, but in this case, I fully support them as it relates to Cybersecurity.  This is the only way that we will truly know if the CISO and  the IT Security team are truly doing their jobs do the best levels that they can.  In the end, having good metrics not only will bring a strong reputational image in the eyes of the public, but it can also be the make or break if money and budget is to be approved by the C-Suite for any kind of Cybersecurity efforts to be undertaken into the future.