Measuring the effectiveness of your cybersecurity program (and the associated investment in it) can be a tricky thing.
Cybersecurity at its core is ultimately a loss prevention domain, and just like with fire insurance, it is often difficult for an organization's leadership to see it as anything else other than an additional cost center.
To mitigate this, and to make reporting to the Board more tangible, cybersecurity programs often have particular Key Performance Indicators (KPIs) and effectiveness tracking metrics attached to them. For example, some of the most important metrics when it comes to measuring the effectiveness of a cybersecurity program, and the Cyber Incident Response component in particular are:
Mean Time to Detect (MTTD)
Mean Time to Contain (MTTC)
Mean Time to Resolve (MTTR)
As a result, moving the needle across metrics such as these is what often drives cybersecurity program budget distribution.
The Catch-22 here is that all three are closely connected and must be considered in tandem. For example, if your organization is lacking advanced and up-to-date detection capabilities, the above metrics will fall flat and provide a purely artificial image of your cybersecurity program's effectiveness. After all, if it took ~ 200 days to detect a breach and then just under a week to contain it due to effective Incident Response efforts, it is unlikely to be referred to as a success by media and third parties.
The correct approach to implementing an effective cybersecurity program is a holistic one, spanning at least the following 3 components:
Cyber Threat Insights - key not only to effectively preventing and detecting attacks but also to efficient budget distribution. For example, healthcare organizations that spend most of their cybersecurity budget on perimeter controls can observe a low correlation of such spending to the amount of data exfiltrated; this is due to nearly half of healthcare data breaches attributed to negligence, not malice. Using this information to strengthen internal access controls, conduct training, or implement Data Loss Prevention (DLP) would provide a better Return On Investment (ROI).
Detection Capabilities - needless to say, an ability to identify and detect an attack in a timely fashion is directly tied to effective cyber threat management.
Response Capabilities - detecting an attack is a pre-requisite for successful Cyber Incident Response, but low cybersecurity crisis management maturity can completely negate even the most sophisticated detection mechanism. This is precisely why it is key for organizations of all levels to have a detailed and up-to-date Cyber Incident Response Plan, complete with scenario-focused Playbooks and regular cross-functional simulation training sessions or tabletops.
Food for thought: a report by PwC found that just 22 percent of chief executives believe that their risk exposure data is comprehensive enough to inform their decisions - and this applies to the cybersecurity aspect of the company's strategy as well.
Addressing this knowledge gap is paramount for an effective cybersecurity program, and for optimizing the ROI of your cybersecurity budget spending.