Cyber Secure
Cyber Operations
Cyber Response
Cyber Resilience
Menu
Cyber Strategy
Services
Cyber Strategy
Solutions
Cyber Security Metrics
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Metrics are tools to facilitate decision making and improve performance and accountability.
Measures are quantifiable, observable, and objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance.
CYBER SECURITY METRICS
Regulatory, financial, and organizational factors drive the requirement to measure IT security performance. Potential security metrics cover a broad range of measurable features, from security audit logs of individual systems to the number of systems within an organization that were tested over the course of a year. Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success or failure of implemented security solutions.
OUR APPROACH
- Keep the cyber security metrics meaningful
- Tie the metrics to your cyber program processes
- Keep the metrics reproducible
- Develop rigorous and objective definitions
- Build useful desk procedures/checklists
- Keep the metrics manageable
- Leverage existing automated sources of data
- Make practical decisions to narrow scope as needed
- Provide an increased level of transparency
In information security, it is no different. Effective management of varying performance indices can mean the difference between a practical and efficient project and a complete waste of money. Although IT managers have been following KPIs for quite some time now, in information security, this is an uncommon and still developing practice to track cyber security metrics. Cyber security metrics should be identified and created for various different audiences ranging from management level to C-level and executives.
CYBER SECURITY METRICS
Regulatory, financial, and organizational factors drive the requirement to measure IT security performance. Potential security metrics cover a broad range of measurable features, from security audit logs of individual systems to the number of systems within an organization that were tested over the course of a year. Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success or failure of implemented security solutions.
In information security, it is no different. Effective management of varying performance indices can mean the difference between a practical and efficient project and a complete waste of money. Although IT managers have been following KPIs for quite some time now, in information security, this is an uncommon and still developing practice to track cyber security metrics. Cyber security metrics should be identified and created for various different audiences ranging from management level to C-level and executives.
OUR APPROACH
- Keep the cyber security metrics meaningful
- Tie the metrics to your cyber program processes
- Keep the metrics reproducible
- Develop rigorous and objective definitions
- Build useful desk procedures/checklists
- Keep the metrics manageable
- Leverage existing automated sources of data
- Make practical decisions to narrow scope as needed
- Provide an increased level of transparency
STEPS TO CREATE THE METRICS
- Define the metrics program goals and objectives
- Decide which metrics to generate
- Develop strategies for generating the metrics
- Establish benchmarks and targets
- Determine how the metrics will be reported
- Create an action plan and act on it
- Establish a formal program review/refinement cycle
RIGHT METRICS FOR THE RIGHT AUDIENCE
C-SUITE & BOARD MEMBERS
- Current State of Security
- Risk Year-on-Year Statistics
- Hygiene/Health
- Effectiveness Index
- Current Risk Posture and Changes Over
- Time Trends
- Employee Awareness Index
- Security Initiative Performance
- Investments
- Incident Index
- Regulatory Compliance Reports
- Updates Benchmark Reports
- Budget Performance
STEPS TO CREATE THE METRICS
- Define the metrics program goals and objectives
- Decide which metrics to generate
- Develop strategies for generating the metrics
- Establish benchmarks and targets
- Determine how the metrics will be reported
- Create an action plan and act on it
- Establish a formal program review/refinement cycle
RIGHT METRICS FOR THE RIGHT AUDIENCE
C-SUITE & BOARD MEMBERS
- Current State of Security
- Risk Year-on-Year Statistics
- Hygiene/Health
- Effectiveness Index
- Current Risk Posture and Changes Over
- Time Trends
- Employee Awareness Index
- Security Initiative Performance
- Investments
- Incident Index
- Regulatory Compliance Reports
- Updates Benchmark Reports
- Budget Performance
MANAGEMENT
- Trend Analysis Data
- Security Posture Trends
- Vulnerability Management / Patch Reporting
- Emerging Network Threats
- Incident Response Times
- Audit Compliance and Findings
- % of Risk Accepted Threats
SERVICE OWNERS & SUPPORT TEAMS
- # of Incidents Investigated
- Type and Severity of Security Incidents
-
Vulnerability External / Internal
(Highs/Mediums/Lows)
- % Servers, Apps, Patched to Current Patch Level
- Detail info on Threats
- Top/Emerging Exploits
DTS can help your organization build cyber security metrics using the PRAGMATIC metametrics approach. PRAGMATIC is an acronym for the basis of the method in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost.
The PRAGMATIC method has application both in designing security metrics from scratch, and in systematically improving your current metrics. If you are using security metrics that ‘ought to work’ in theory but for some reason don’t seem to work out so well in practice, the PRAGMATIC method helps you understand why they don’t work and identify what would need to change to make them more valuable. Simply altering the way, the security metrics are analyzed and presented may be sufficient, otherwise it may be worth exploring whether changing the phrasing or definition of metrics will turn things around.
At the end of the day, some security metrics are so poor they are simply irredeemable: the PRAGMATIC method gives you a way to put lame metrics out of their misery, saving money and encouraging management to focus their attention on the remaining fit-for-purpose metrics. Lacking this crucial step, metrics systems tend to grow, and we end up measuring what we can, not what we should. DTS can help your organization to design, build and manage the cyber security metrics and performance measurement system using the PRAGMATIC metametrics approach.
MANAGEMENT
- Trend Analysis Data
- Security Posture Trends
- Vulnerability Management / Patch Reporting
- Emerging Network Threats
- Incident Response Times
- Audit Compliance and Findings
- % of Risk Accepted Threats
SERVICE OWNERS & SUPPORT TEAMS
- # of Incidents Investigated
- Type and Severity of Security Incidents
- Vulnerability External / Internal (Highs/Mediums/Lows)
- % Servers, Apps, Patched to Current Patch Level
- Detail info on Threats
- Top/Emerging Exploits
DTS can help your organization build cyber security metrics using the PRAGMATIC metametrics approach. PRAGMATIC is an acronym for the basis of the method in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost.
The PRAGMATIC method has application both in designing security metrics from scratch, and in systematically improving your current metrics. If you are using security metrics that ‘ought to work’ in theory but for some reason don’t seem to work out so well in practice, the PRAGMATIC method helps you understand why they don’t work and identify what would need to change to make them more valuable. Simply altering the way, the security metrics are analyzed and presented may be sufficient, otherwise it may be worth exploring whether changing the phrasing or definition of metrics will turn things around.
At the end of the day, some security metrics are so poor they are simply irredeemable: the PRAGMATIC method gives you a way to put lame metrics out of their misery, saving money and encouraging management to focus their attention on the remaining fit-for-purpose metrics. Lacking this crucial step, metrics systems tend to grow, and we end up measuring what we can, not what we should. DTS can help your organization to design, build and manage the cyber security metrics and performance measurement system using the PRAGMATIC metametrics approach.
Solutions
Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response
Accreditations
Accreditations
Dubai
Abu Dhabi Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE
Kuwait Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait
+971 4 3383365
[email protected]
London 160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574
The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.
DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.