You’ve Implemented Cybersecurity Practices, But Are They Effective?
by Geoff Pierce, Centauri Group CISO
Cybersecurity compliance is not a one-and-done event. The practice of cybersecurity is just that… practice! As with anything, the more you practice, the more you improve. As you improve your basic skills, you are able to start incorporating more advanced skills… and so on.
Cybersecurity is no different. I’ve talked about “Say what you do and do what you say” for cybersecurity practices. Unfortunately, many stop at the “say what you do” step (hey, we’re compliant, right?) and fail to put in the practice. Not only do we need to confirm that we, as an organization, “do what we say,” most importantly, we need to measure what we’re doing in meaningful ways. We’ve all heard the old adage that you can’t manage (or improve) what you can’t measure. I take that one step further and say you can’t manage or improve a practice if your measurement isn’t useful.
Consider IT inventory – a foundational component of your configuration management practices. Unless you know what you’re supposed have on your network, how can you possibly secure it? While having an up-to-date IT inventory is a must, simply reporting the number of items in that inventory from month to month is interesting, but not useful to measure the effectiveness of your configuration management practice. In the case of IT inventory, a measurement that tells you something is the difference between the number of items your inventory (what you’re supposed to have) and the number of items found on your network (what you really have). While any difference is worth investigating and understanding, your configuration management practices are likely doing all right if that difference remains small – how small is up to you to decide.
The purpose of measuring effectiveness is to guide improvement efforts. If you haven’t had a lot of practice yet, you will likely see large differences month after month. If so, you need to fix the glitch in your configuration management process! As you improve your practices, those differences get smaller and smaller. Eventually – and hopefully quickly – those differences move within some acceptable tolerance that you determine based on your organization’s risk appetite.
When it comes to inventory, I recommend going with a strong objective of having at least 90% of you IT assets inventoried (especially servers, workstations, laptops) – less than that, and your foundation for cybersecurity is too weak. Then make the measurement on a regular basis – at least quarterly; monthly is better if your environment is dynamically changing – and track your progress. If you are consistently above 90%, then tighten things up further to 95% or higher.
Need ideas for measures of effectiveness for your cybersecurity practices? Check out the Center for Internet Security controls measures and metrics. What are your preferred cybersecurity measures of effectiveness?