WIXLIB

Cybersecurity MetricsSupporting accurate and timely decision-makingNovember 2018Anthony MuiyuroCybersecurity Leader, EY East Africa.

Contents01Business driversWhile more questions are being asked about cybersecurity, current reporting is not adequate.02Challenges03Building an Effective metrics programOrganizations are struggling to determine what and how to report on cybersecurity.Improve cybersecurity reporting requirements.04Page 2The CISO Dashboard23 November 2018Cybersecurity Metrics & Dashboards

Metrics story"Measurement is the first step that leads tocontrol and eventually to improvement. If youcan't measure something, you can't understandit. If you can't understand it, you can't control it.If you can't control it, you can't improve it."- H. James HarringtonPage 323 November 2018Cybersecurity Metrics & Dashboards

Business driversPage 423 November 2018Cybersecurity Metrics & Dashboards

It can be challenging to communicate the value of CyberSecurity in business termsHow does a CISOdefend the cybersecurity budget?Are our securityinvestments payingoff?Are cyber securityservices delivered in afashion that meetsbusiness needs?How secure is ourorganization?Are our responsecapabilitiesadequately managingthe impact ofincidents to theorganization?How do we continueto get support forcyber security effortsfrom executiveleadership?Page 523 November 2018As the focus on cyber security hascontinually increased, InformationSecurity functions are faced with anumber of difficult questionsCybersecurity Metrics & DashboardsHow well are weidentifying andresponding torelevant threats?Is our securityprogram on track toachieve maturityobjectives?

Telling “the Cyber Security story” is complicated for manyreasonsLack of common languageInformation Security lacks a mature common language to describe itscomplex environment in terms of business valueDifficulty in obtaining required dataConsistent, timely and relevant data to support reporting often is notreadily availableOrganizational differencesVarying Information Security organizational structure andresponsibilities make it difficult to standardize reporting focus areasLack of performance baselinesLegacy thinkingThere are no established widely accepted performance baselinesLegacy approach to security reporting is focused on tracking what isbeing done vs. how well it is being doneMost traditional ways of reporting focus on available data rather than the needs of the readerPage 623 November 2018Cybersecurity Metrics & Dashboards

Stakeholders to ‘Manage’Is the cybersecurity strategyaligned with our businessstrategy?Is the organizationcomplying with policiesand regulations?Are security initiatives on track to remediaterisks and improve security?Is the money spenton cybersecurity creatingvalue?Chief ExecutiveOfficerFunctionalLeadsChief ComplianceOfficerHow efficient haveour tools been inprotecting againstcyber attacks?BoardChiefInformationSecurity OfficerDo we have real-time insights intocritical incidents, threats andvulnerabilities impacting ourenvironment?Page 723 November 2018Chief RiskOfficerInternal AuditWhat are our key risksand how can we mitigatethem?Cybersecurity Metrics & DashboardsChief InformationOfficerDo we have appropriateand effective controls inplace?

Organizations are struggling to determine what and how toreport on cybersecurity.Page 8Cyber threats are just one of the many risksthat organizations face. most organizationsstruggle with fully understanding what theyneed to report on and to whom (e.g., toboards, audit committees)Cybersecurity metrics are often presentedas key risk indicators or key performanceindicators that are accurately measurable;however, these often tell “nothing but thetruth,” but not the “whole truth” as they lackbusiness context.Existing cybersecurity, governance risk andcompliance (GRC), and servicemanagement technologies increasinglyhave dashboard and reporting capabilitiesbut are often not integrated.Legacy approach to security reporting isfocused on tracking what is being doneversus how well risk is being reduced. As aresult, current reporting does not providethe insight needed to take risk-basedbusiness decisions.Many executive cyber reports are largelymanually compiled on an ad-hoc orinconsistent frequency and requiresignificant effort and time to produce.Existing reporting often lack actionableinformation that can be used to remediateissues quicker and more effectively.23 November 2018Cybersecurity Metrics & Dashboards

Developing an Effective Metrics ProgramPage 923 November 2018Cybersecurity Metrics & Dashboards

Well designed metrics support decision makingINFORMATION DATA VALUE ns that take intoconsideration bothexternal and internalfactors anddemonstrate responsecapabilitiesStrategicalignmentDecisions thatstrategically align withorganization’s visionand objectivesOperationalexcellenceDecisions thatmaximize operationalefficiency andeffectiveness In the rightformatDecisionsupport At the righttimePage 1023 November 2018Cybersecurity Metrics & Dashboards

Three categories of security measures are critical inenabling decision makingRelative Stateof IS Program ProgressRelative State of SecurityPostureState of IS OperationsPerformanceReports Progress enabled with context fromthe broader Cyber Security program(e.g., counts, percentages, forecastto actual, burn rate, etc.)Technical data contextualizedagainst internal and externalrelevant factorsProcesses evaluations againstperformance objectives (e.g.,timeliness, quality, consistency,effectiveness, etc.)Answers What are we doing?(security projects & initiatives)Are we doing enough?(security controls)How well are we doing?(security processes)Strategic alignmentandOperational excellenceResponse capabilitiesOperational usedSupports Strategic alignment Operational excellence Response capabilitiesCharacterized as Page 1123 November 2018Time-boundandOutcome-basedCybersecurity Metrics & Dashboards

Maturity GoalPage 1223 November 2018Cybersecurity Metrics & Dashboards

Organizations cannot wait until they have reached their desiredmaturity to begin measuring securityMany Cyber Security organizations erroneously opt to delay implementation ofperformance management programs in order to allow their functions to mature. Thisapproach puts underdeveloped and unsophisticated cyber security organizations atgreater risk of not getting the attention and investment they need to transform anddevelop as they lack the metrics and measurements necessary to demonstrate theirvalue to the overall business as well as the gaps that exist.Goodmetrics drivechangeSecurity performance management enables organizations to improvewithin and across maturity levelsPage 13INITIALREPEATABLEDEFINEDMANAGEDMetrics can helpidentify high-riskareas for targetedimprovement andsupport fundingrequests for largerefforts by providingvisibility into“security” gapsMetrics can assistin obtainingvisibility into somebasic repeatableprocesses whiledrivingperformance todesired levelsMetrics can assistin the formalizationof securityfunctions andservices byquantifyingperformanceexpectations andreporting onprogressMetrics can beused to effectivelyreport on theperformance ofoperationalactivities and thequality of servicesdelivered23 November 2018Cybersecurity Metrics & DashboardsOPTIMIZINGMetrics can drivecontinuoussecurity programenhancementsand performanceimprovementtowards strategicgoals

Improving cybersecurity reporting requirements.Page 1423 November 2018Cybersecurity Metrics & Dashboards

Cybersecurity reporting should enable accurate and timelydecision-makingReporting must: Provide a realistic view of cyber risk posture Be readily available and produced consistently for all stakeholders Demonstrate analysis, knowledge and expertiseCritical incidents Risk posture/trend Spend status/ROI Compliance TheBoardPortfolio status/health Financial and organizational health (e.g., budget, headcount) CISO, CIO,other C-levelControl health (e.g., patching, malware protection) Mapping to controls (e.g., NIST, ISO) Project status/healthFunctional ordomain leadershipOperational risk (e.g., incidents, threats, vulnerabilities) Activities statusOperational leads Page 1523 November 2018Cybersecurity Metrics & Dashboards

Improving the maturity of your cybersecurity reporting*NIST - National Institute of Standards and Technology*KPI – Key Performance Indicator*ISO - International Organization for Standardization*ISO – Key Risk IndicatorOptimizingManagedDefinedRepeatableInitial Tactical metricsfocused on selectsecurity domains.Ad hoc metrics;created only whenrequested. Manual dashboards(e.g., Excel,PowerPoint). Effort still largelymanual.Highly manual effort. Metrics may beinfluenced by industryframeworks.Manual dashboardscreated at someregular frequency. Metrics cover mostsecurity domains. Metrics provide highlevel view of securityrisk across theenterprise. Dashboarddevelopment isoperationalized in avisualization tool withmany manualrepeatable steps.Data is pulled from thesource system formajority of metrics(e.g., Splunk, Qualys).Metrics are aligned toleading industryframeworks (e.g.,NIST*, ISO*).Fig. Maturity model for cybersecurity reportingPage 1623 November 2018Cybersecurity Metrics & Dashboards Strategic and tacticalmetrics, KPIs* andKRIs* to monitorcoverage andeffectiveness. Dashboards leveragedfor decision-making. Mostly automateddashboard; verylimited manual effort. Most metrics pulledfrom source system innear real-time. Metrics measurehealth against industryframeworks. Dashboard audienceexpands to keyexecutives (e.g.,Board, AuditCommittee). Dashboards areactively used indecision making. Real-time dashboardwith advancedanalytics capabilitiesdriven by threatintelligence andpredictive modeling. Granular views andbroader audience(e.g., business units,Human Resources,Privacy, regionalviews, financial views). Dashboard utilized forcommunications andawareness acrossenterprise.

Cybersecurity dashboards can help provide tangiblecontributions to the organization.Near real-time* insights into criticalthreats and incidentsIncreased visibility intorisk postureand control gapsImprovedinformedstrategic andfinancialdecisionmakingPredefined profiles to targetspecific organizational roles*Depending on availability of data and capability of organizational toolsPage 1723 November 2018Cybersecurity Metrics & DashboardsCustomizable dashboard andreports to suit various reportingneedsIntegrated andconsolidated cyberdashboardsGraphic and visual representationof actionable insights

Developing a systematic framework to create relevant,comprehensive, automated dashboards.Metrics should be part of the life cycle with continuous assessment and improvement steps. The output has direct impactfor a business from financial to risk reduction.Cybersecurity dashboard nObjectivesAssetcriticalitySecurity metricsPoliciesAssess gaps and risks,and measure the coverage,effectiveness and impact ofexisting controls andprocessesFrameworkalignmentInitiativesAssess progress andeffectiveness of securityactivities in improving postureand reducing riskRiskreduction perationsStrategyMeasure critical operationalactivities, effectiveness andperformanceControlsIndustry trendsPage 1823 November 2018Emerging technologiesCybersecurity Metrics & DashboardsThreat landscapeLaws and regulationsImprovedcapabilities

Sample dashboard artifactsPage 1923 November 2018Cybersecurity Metrics & Dashboards

Demo dashboard: CISO executive overviewTarget audience: CISO and the leadership teamObjective: cover key operational, controls health and project status metricsPage 2023 November 2018Cybersecurity Metrics & Dashboards

Demo dashboard: CISO executive overviewTarget audience: CISO and the leadership teamObjective: cover key real-time operational metrics for daily usagePage 2123 November 2018Cybersecurity Metrics & Dashboards