Any time we evaluate something, it’s easiest to look at quantity first. For example, if you want to know how well your favorite baseball team performed in a game, you look at the quantity of points they scored versus the other team. That’s not exactly the case in cybersecurity. While quantity is important, the questions you ask to evaluate performance should center around quality first.
Here are some examples:
How long is the time period between the first possible indication of a breach and the company’s response to it?
After response, how long does it take the company to perform remediation activities?
While these questions clearly measure quantity of time, it’s because time between these events is a direct indication of the quality of response being provided by the cybersecurity team.
Here is one quantity question you should be asking:
How many incidents is the team detecting/responding to on a weekly/monthly/yearly basis?
But, even though we’re directly looking at quantity of incidents here, it is (again) an indication of quality. Here’s why:
If your cyber team is consumed with responding to incidents and “putting out fires,” they’re likely unable to effectively perform other important aspects of their jobs, like remediation or staying abreast of current information security topics, certifications, or threats.