1. Make sure you’re asking the right questions.
Any time we evaluate something, it’s easiest to look at quantity first. For example, if you want to know how well your favorite baseball team performed in a game, you look at the quantity of points they scored versus the other team. That’s not exactly the case in cybersecurity. While quantity is important, the questions you ask to evaluate performance should center around quality first.
Here are some examples:
How long is the time period between the first possible indication of a breach and the company’s response to it?
After response, how long does it take the company to perform remediation activities?
While these questions clearly measure quantity of time, it’s because time between these events is a direct indication of the quality of response being provided by the cybersecurity team.
Here is one quantity question you should be asking:
How many incidents is the team detecting/responding to on a weekly/monthly/yearly basis?
But, even though we’re directly looking at quantity of incidents here, it is (again) an indication of quality. Here’s why:
If your cyber team is consumed with responding to incidents and “putting out fires,” they’re likely unable to effectively perform other important aspects of their jobs, like remediation or staying abreast of current information security topics, certifications, or threats.
2. Give up on the idea of perfection.
That might sound harsh, but it’s true. No organization is perfect, and even the best cybersecurity programs experience challenges. While your cybersecurity team should be measured in part by the number of cybersecurity challenges they experience, you should place much more weight in how they respond to those challenges. A quality cybersecurity team plans for bad things to happen, protects against them as best as possible, then reacts quickly and effectively.
3. Examine how the organization attracts and retains talent.
Cybersecurity unemployment rates are at zero percent. Skilled cybersecurity professionals are hard to find. It’s a seller’s market. So, if your company has a weak cybersecurity program, it will likely be difficult to find and retain good employees. While this isn’t the number one metric you should use to assess the quality of the organization’s cybersecurity program, it can be an indicator of the work environment, quality of performance, and stress level of employees.
If you’re interested in learning how to make your organization’s information security program more effective, just click here to contact us and learn how LBMC Information Security’s team of experts can help.
This blog is the ninth in a series titled, “Cybersecurity in the Boardroom.” The purpose of this series is to shift boardroom conversations and considerations about cybersecurity so board members, company management, and information security personnel can work together to implement a more effective cybersecurity program.