Executive leaders, board members and regulators continue to press organizations to step up their efforts to manage—and mitigate—cybersecurity risks. With data breaches increasing in frequency year over year, and large-scale ransomware attacks regularly making headlines, these demands aren’t going to vanish anytime soon. Especially in risk-sensitive industries like Legal, it’s imperative that technology and security leaders find effective strategies for tracking and demonstrating the organization’s progress towards cyber resilience.
Gathering the right cybersecurity metrics makes that possible. With quantitative data, teams can show that they’re moving toward concrete objectives—ones that will reduce some of the most significant cyber risks that the practice faces. This approach clarifies what the security program is trying to achieve, but it also outlines concrete steps to get there.
We recommend that organizations set goals—and collect metrics tracking their progress towards them—that are clear and actionable. This creates a framework for making data-driven decisions.
In particular, metrics should meet all of the following criteria. They should be:
For instance, if stakeholders in your practice are concerned about a high click-through rate for phishing emails, you could assess the effectiveness of your training and awareness efforts by gathering the following metrics:
By gathering this data, the organization can assess the effectiveness of its security awareness training. The feedback scores show whether or not the program is achieving successful learning outcomes, and may highlight areas to tweak if progress is not as fast as was hoped for.
Other examples of metrics you can track to see how well your team is mitigating cyber risk include aspects of vulnerability management, backup and recovery, and time to respond to cyber incidents. You might also keep track of the percentage of end-user devices covered by endpoint detection and response (EDR) tools.
According to SANS, key vulnerability management metrics include the following:
For backup and recovery systems, you’ll want to gather data on the frequency of backups, as well as your ability to restore within a timeframe that would protect the operational continuity of the business. As noted by Network World, important metrics include:
It’s also important to track how well your security operations team (whether in-house or outsourced) is able to identify and respond to incidents. NIST recommends that key metrics here include:
The metrics listed above are a good place to start, and your organization can add more as your cybersecurity program matures. Stakeholders across the practice can review all of these measures to determine whether the organization’s overall risks are within tolerable limits. They can also identify areas for improvement, particularly focusing on places where the smallest changes are likely to yield the greatest reduction in risk.
Identifying the right cybersecurity metrics to gather starts with understanding your business requirements and where you’d like to mitigate risks. With this information at hand, you can set objectives, and then, leveraging your metrics, track and monitor your progress towards your objectives. Regular reporting can be used to drive targeted improvements. As you make these improvements, your business requirements (and areas of greatest risk) will likely shift, bringing you back to the start of the process. With greater maturity, you’ll most likely identify new requirements and risks to mitigate.
This feedback loop can drive a cycle of continuous improvement, enabling you to benchmark your progress across all domains within cybersecurity. It also enables you to compare your security posture to cross-industry standards and frameworks, to see where your strengths lie, and which areas could use further improvement. And, by measuring and tracking your progress, you can provide clear, objective evidence of what you’ve accomplished—valuable information for everyone who cares about the future of the practice.
Want to learn more about how Netrix’s seasoned team of cybersecurity experts helps our clients in the Legal industry monitor key metrics more effectively? Schedule a free, no-obligation consultation with us today.
Rich Lilly has been working in the IT Consulting space for 20+ years in various positions and roles, including Architect, Director of Pre-Sales, Cloud Evangelist, and including his current role, Director of Security for Netrix, LLC. Rich brings extensive hands-on and practical knowledge to not only strategy for Microsoft-centric Security solutions, but also developing and operating Security Programs.
2024 Netrix, LLC | All Rights Reserved.
