Is your organization more secure today than it was before? How effective are your security controls? Are they in compliance with mandated regulations?
When it comes to answering questions like these, tracking the right IT security metrics is key. IT security metrics don’t just help organizations to monitor the accomplishment of IT security performance goals and objectives, they also help identify their security strengths and weaknesses.
To be effective, IT security metrics must:
- Yield quantifiable information
- Use easily obtainable and accurate data
- Be useful for tracking performance and directing resources
"The important point to emphasize is that security metrics are a journey and not a destination."
-Lance Hayden, security awareness pioneer
But the lack of standardization in the industry when it comes to IT security metrics makes it a challenge for enterprise security teams to know what to measure in order to best protect their organization.
Let’s look at five IT security metrics that matter across common cybersecurity frameworks and regulations.
There’s one caveat though: These frameworks may not ask you to measure these exact IT security metrics, but if you’re continuously able to track these metrics, your security posture and compliance reporting will be much stronger.
Metric No. 1: Number of Vulnerabilities Left Unpatched
Keeping up with the influx of security vulnerabilities is a top priority for IT and security teams.
Used to assess the overall security of a network, this IT security metric quantifies the percentage of systems with vulnerability on a network. The higher the metric value, the lower the security level of the network.
But the sheer volume of patches that security teams need to implement means that there’s often a delay in getting systems secured. This leaves a gap threat actors can exploit. Keeping a tab on the number of vulnerabilities left unpatched helps identify these gaps and how many systems have the strongest probability for compromise.
The NIST framework highlights the importance of regularly performing vulnerability scan and assessment for locating which systems are vulnerable and patching vulnerabilities before attackers find and exploit them.
CIS Control 7 — Continuous Vulnerability Management — recommends organizations develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers.
Metric No. 2: Dwell Time
A powerful metric for security teams, dwell time represents the entire length of time a threat actor has been present in a victim network — starting from the time they enter your network to the time they leave or are removed.
Dwell time helps measure how well security teams can prevent, detect, and neutralize threats. Quickly analyzing an event and responding accordingly is key to containing an attack and reducing dwell time.
CIS Control 17 — Incident Response Management — offers organizations best practices on how to prepare, detect, and quickly respond to an attack. It sheds light on how dwell time from when an attack happens to when it is identified can be days, weeks, or months.
It also highlights how a longer dwell time provides threat actors to find more ways to maintain persistent access. With the rise of ransomware, this dwell time is critical, especially with modern tactics of stealing data before encrypting it for ransom.
Metric No. 3: Number of Systems With Data Encryption Deployed
For organizations required to comply with regulations and standards like the CCPA, GDPR, HIPAA, or PCI DSS, implementing data security procedures like data encryption is crucial.
The Payment Card Industry Data Security Standard, for example, aims to increase controls around cardholder data to reduce credit card fraud. Among the several requirements organizations have to meet to be compliant is protecting stored cardholder data by implementing methods like encryption, and encrypting transmission of cardholder data across open, public networks.
Although the GDPR doesn’t explicitly maintain encryption requirements, it repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
Keeping track of the number of systems with data encryption deployed helps organizations ensure compliance with these regulations, while also keeping sensitive data secure.
Metric No. 4: Number of Admin Accounts With Configuration Risks
Privileged accounts, like admin accounts, provide elevated and often unrestricted access to an organization's systems and sensitive data. Misconfigured admin accounts can therefore introduce significant risks to the business.
Monitoring the number of admin accounts with configuration risks helps IT and security teams to assess whether admin accounts are being used and configured in accordance with company security policies. A lower number here equates to lower security risks.
Configuration risks in admin accounts can stem from several factors, including default passwords, security policies with overly permissive access rights, or inactive users with outdated permissions.
To address these challenges, NIST recently published the draft version of NIST Cybersecurity Practice Guide SP 1800-18, Privileged Account Management, that offers practical guidance to financial services organizations interested in implementing a privileged account management solution. The guidance is flexible enough for other industries looking to implement stronger security controls for privileged account management.
Metric No. 5: Number of Unmanaged or Unsecured Endpoints
Without knowing whether all relevant endpoint devices are covered, it’s impossible to be confident that you’re really protected.
But the combination of remote work and relaxed BYOD policies mean endpoint security has become more complicated for many organizations, especially for federal agencies.
While organizations mandate that specified devices must be covered by a certain endpoint agent, we’ve found that some customers have as many as 60% of devices that are missing the requisite agent. It’s equally important to track down endpoints devices that have the required agent installed, but it’s either inactive or not sending back data as expected.
Section 7 of the recent Executive Order on Improving the Nation’s Cybersecurity directs all federal agencies to launch initiatives to improve their endpoint detection and response capabilities on a tight timeline.
Given that enterprises can’t defend what they don’t know they have, CIS Controls 1 and 2 highlight how proper asset management is imperative to identifying critical enterprise assets so that appropriate security controls can be applied to protect endpoints.
No matter what security metrics you pick, an up-to-date and accurate asset inventory is key to strengthening your organization’s security posture. It helps ensure that all assets are covered by mandated security policies and practices. Cybersecurity asset management solutions provide organizations with not just a comprehensive and credible asset inventory, but also helps IT and security teams measure their current state by tracking and reporting security coverage metrics for all assets.
How Tracking Information Security Metrics Can Enhance Security Posture & Compliance Reporting
Tracking IT security metrics can significantly enhance your compliance reporting. Regularly monitoring and analyzing relevant metrics allows you to gain insights into security controls, locate vulnerabilities and weaknesses and take proactive measures to improve security posture.
Having this information can be especially beneficial during audits, assessments, and regulatory inspections, where accurate and up-to-date metrics can serve as tangible evidence of an organization's security posture and compliance efforts.