What is Cyber Security Performance Management?

What is Cyber Security Performance Management?
Written by Brian Thomas
Manager, Content Marketing

Security performance management (SPM) helps security and risk leaders take a risk-based, outcome-driven approach to assessing and managing the performance of their organization’s cybersecurity program. With SPM, security leaders can continuously monitor and assess their organization’s current security state, analyze how security performance ranks against industry and peers, and create improvement plans that reduce cyber risk.

SPM offers many tangible benefits. It drives accountability for security outcomes throughout the organization, helps align investments and actions with the highest measurable impact over time, and enables security and risk leaders to efficiently allocate limited resources on the most critical areas of cyber risk. It also breaks down communication barriers and facilitates easily understandable, data-driven conversations with the C-suite and Board.

Why cyber security performance management?

Cybersecurity is a top challenge for executives and Board members who want to be sure their organization is doing its best to avoid compromises and attacks.

The stakes are high. A cybersecurity incident can result in the loss of intellectual property and customer data, reputational damage, and significant financial harm. Because of these risks, organizations are being held increasingly accountable for their security practices, outcomes, and failures.

Yet, building defenses and protecting endpoints is no longer enough. Organizations need to be able to quantify the impact and effectiveness of their security investments and identify gaps in security performance. They must also set goals and make informed decisions to better manage the effectiveness of their tools, technologies, and people.

Security performance management helps companies address these challenges efficiently and effectively.

The case for cyber security performance management

Until recently cyber risk management has taken a traditional route. Organizations have relied on penetration testing and threat intelligence--complemented by occasional audits and security assessments--to determine risk levels. While beneficial, these approaches only offer point-in-time operational metrics, not a continuous view of how security programs are performing.

Communicating risk levels to senior executives has also proven to be a challenge. Highly technical security metrics must be summarized into easily understood insight for Board meetings. Yet, that data often lacks context. How are Board members to know if three security incidents a year is good or bad, or how security performance compares to the competition?

This is where security performance management comes into play.

Security ratings: a critical component

Security ratings are a key component of cyber security performance management. Security ratings are data-driven, objective, and dynamic measurements of an organization’s cybersecurity performance.

Security ratings don’t rely on traditional techniques like penetration testing, questionnaires, or on-site visits. Instead, security ratings are valuable, objective indicators of an organization's cybersecurity posture. These ratings are derived from objective, verifiable information, such as infected machines, indications of compromise, misconfigured security controls, and positive or poor security hygiene (such as unpatched systems). They are typically created by a trusted, independent organization.

Armed with daily ratings, organizations can proactively identify, quantify and manage cyber security risk throughout their ecosystem. They can also see if there are any changes in their security infrastructure that could impact the rating, either positively or negatively, and then evaluate and close any vulnerabilities.

The higher the rating (ratings range from 250-900), the more effective the organization is in implementing good security practices. In fact, Bitsight research shows that companies with a security rating of 500 or lower are nearly five times more likely to experience a publicly disclosed data breach.

Critically, security ratings are also a common language that can be spoken by both technical and non-technical individuals. In this way, security ratings enable conversations between cybersecurity/IT professionals and other members of an organization that can improve decision making.

Security ratings can also be used as part of a third-party risk management program to measure the effectiveness of a vendor’s security program and expose cyber risk across the supply chain. Check out our blog on third-party risk management practices for enterprises to learn more.