Security, regardless of type, has always been about preparing for the worst. It is a negative goal, where we work to prevent access to a file, system, or network by unauthorized actors. The challenge is that we have to think of all the ways that a bad actor might gain access, including understanding vulnerabilities in the software itself. Furthermore, as innovation drives new technologies there are emerging cybersecurity threats that appear every day. This makes “cybersecurity success” an oxymoron because there is no finish line. It’s an ongoing effort to stay ahead of the bad guys, evolve security technologies and processes, and improve the current state of knowledge. The stark reality is that we cannot know what is going to happen in the future, the best we can do is infer the next threat to our systems and evolve. As such, cybersecurity success is not defined by winners and losers, or even by the number of days since the last intrusion, it is a new world and requires its own measures of success.
How do we define “cybersecurity success”?
Most organizations rely on cybersecurity metrics that focus on what has occurred in the past and measure statistics such as how many packets were blocked or how many viruses were detected. These data points do not define the organization’s security capabilities, because they do not include any of the qualitative knowledge that impacts the success of the security program.
Qualitative data around questions like…
- “How well trained are your end users?”
- “Are your policies appropriate to achieve the objectives of your security program?” and
- “Does your leadership team support the cybersecurity program?”
…are key dimensions that impact the success of any security program. If we rely only on traditional security metrics and exclude qualitative information, then we really cannot understand the risks we are taking or the gaps in our security program that need to be addressed. This may lead to a false sense of security and is a trap that many organizations fall into when they fail to take into account qualitative information that is needed to assess risk accurately.
Use a Maturity Model
Intrusion statistics don’t tell us much about an organization’s security. To really understand a cybersecurity program requires a combination of quantitative measurements and qualitative measurements. The best qualitative measurement begins with defining the organization’s cybersecurity requirements and evaluating how policies, procedures, training, and technical controls all work together to protect your network. The success of a cybersecurity program is based on how each of the components work and how they are interconnected with each other. To evaluate these qualitative dimensions, a capabilities maturity model offers a well-defined framework to assess a cybersecurity program.
Maturity models are based on observations about how organizations have developed capabilities over time and they incorporate industry best practices. The model describes different capability levels that can be used to assess the current state of the organization, provide insight into the desired future state, and help define progress against those goals. The benefit to the organization is to identify and remediate deficient capabilities and to lay out a plan for continuous improvement. The key to achieving success is through the proper assessment, planning, and implementation of the cybersecurity program.
So, can we define cybersecurity success? The short answer is yes. Organizations can successfully protect their networks through proper planning, stakeholder buy-in, ongoing user training, and staying abreast of the latest threats. Since there is no finish line when it comes to cybersecurity, it’s important that organizations understand how to properly measure the effectiveness of their programs across all dimensions.
In addition to what we have discussed here, what are others ways to measure the “cybersecurity success”? Please share your thoughts in the comments below.
If you enjoyed this post, subscribe to our blog and follow @Idenhaus on Twitter.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us today!