The “P” in cybersecurity performance management (CPM) stands for performance, and measuring performance is a crucial aspect of cybersecurity. Shirley Salzman, CEO and co-founder at SeeMetrics, explains that to comprehend the world of cybersecurity, organizations must first understand themselves. This understanding involves assessing their capabilities and how effectively they are applying them.
The CPM model offers security leadership a way to know themselves and communicate and collaborate with peers and executives in a complex, siloed ecosystem. However, there is a challenge in creating a streamlined performance narrative without a single source of truth. Currently, CISOs must rely on a complex web of narratives composed of disparate metrics, different contexts, and no standard measurement for performance.
This lack of a standardized approach makes it difficult for CISOs to answer key questions such as how their security programs are performing and how prepared they are for threats. Performance should be derived from a uniform set of measurements, metrics, and key performance indicators (KPIs), but this standardization does not currently exist.
The connection to Greek philosopher Socrates and his aphorism “know thyself” becomes apparent in the context of CPM. The “P” in CPM has become a central tenet in the CISO’s “know thyself” ethos, transforming CPM into a fundamental part of the day-to-day management toolkit. Knowing is the first step not only in communicating but also in managing cybersecurity effectively.
To further understand the “P” in CPM, it is essential to break down what comprises performance in cybersecurity. CISOs need to evaluate the performance of their security programs, which encompass multiple and diverse security initiatives. This evaluation requires assessing a range of metrics and KPIs related to people, technology, and processes. However, each program may have different characteristics and metrics associated with it.
Threat assessment is another aspect of measuring performance in cybersecurity. CISOs must assess the likelihood and potential damage of specific threats to determine their threat readiness. This assessment involves defining relevant measurements for the threat vector, correlating data from various security programs, and evaluating overall readiness. Yet, there is currently no unified standard for measuring threat readiness.
Control effectiveness is another crucial area of performance measurement. Security organizations have numerous security products that provide various controls. In the past, CISOs only needed to confirm that controls were in place without delving into their deployment, configuration, and impact on overall performance. However, today, CISOs are expected to have a detailed understanding of controls and their specific effects.
Customization is also important in measuring performance. Security leaders need the flexibility to leverage measurements and metrics for ad-hoc projects and policies. For example, when migrating from one endpoint detection and response (EDR) solution to another, they need to track progress without impeding team efforts. Similarly, when onboarding a new vulnerabilities management team, they must track the team’s contribution to overall security.
To build a more unified and collaborative security organization, security leaders should leverage the “P” in CPM. This entails sharing insights, defining realistic goals, and tracking progress. It is no longer enough to simply report performance; it is crucial to use it for better management as well. By focusing on performance, security leaders can significantly enhance both cybersecurity operations and overall security performance.
In conclusion, the “P” in CPM represents performance, which plays a pivotal role in cybersecurity. CISOs must have a comprehensive understanding of their security programs, threat readiness, control effectiveness, and customization to effectively measure performance. By leveraging performance, security leaders can foster a more unified and collaborative security organization, ultimately improving cybersecurity operations and overall security performance.