TODAY’S CYBERSECURITY ENVIRONMENT isn’t for the faint of heart. Despite a growing tangle of security tools, it isn’t uncommon for SMBs to feel like they’re flying blind if they’re not focused on the appropriate security metrics.
“You cannot possibly improve what you can’t measure,” states Kyle Hanslovan, CEO of cybersecurity firm Huntress. “Large enterprises often have sophisticated measurement tools in place, but SMBs often lack the necessary systems and metrics. They are at greater risk of having an incomplete picture.”
Channel pros can help SMBs understand which security metrics are crucial to shaping a stronger security posture. “With the right information, you can adapt and adjust the focus—and the actual tools—to build a better security framework,” says Angela Hogaboom, sales director for IT services firm SugarShot.
There’s no single template that works for every organization, however. “The focus should be on what reduces risk and improves operational efficiency,” Hogaboom says. “The ultimate goal is to make security an enabler rather than a barrier.”
A Measure of Success
At the enterprise level, it’s common to identify a handful of core metrics and rely on specialized software that delivers real-time insights. For SMBs, however, sophisticated security performance tracking tools are often cost-prohibitive, can be difficult to set up, and typically require training.
Instead, channel pros should advise their SMB clients to focus on a half dozen or fewer overarching metrics, which they can track in a spreadsheet, to provide the guidance necessary to navigate security effectively. “There’s no need to measure everything,” Hanslovan says. “You don’t want to get to the point where perfect is the enemy of good.”
One critical metric is mean time to detect (MTTD). As the name implies, it focuses on how long it takes to identify a security incident. It’s crucial, Hanslovan says, because a swift response reduces the collateral damage from an event. “The longer intruders lurk in a system undetected, the greater the damage they are likely to cause,” he says.
Another important metric is mean time to acknowledge (MTTA), which addresses the lag between detecting a security issue and acting on it. Other often-used metrics include mean time to respond (MTTR), which revolves around getting systems functioning again, and mean time to contain (MTTC), which measures how long it takes to contain all the damage.
Not all metrics should focus on specific events, however. It’s wise to track both false positives and false negatives, Hogaboom says, because when organizations become buried under meaningless alerts—or fail to detect a problem—the window for damage expands and addressing deficiencies becomes more difficult.
When looking at security tools and systems, many organizations also monitor system availability, service-level agreement (SLA) compliance, ticket resolution speed and effectiveness, and mean time between failures (MTBF).
Making Metrics Count
The metrics an organization chooses to focus on should “work together synergistically to deliver the right information,” Hanslovan says.
For example, how long it takes to respond to an event is relatively meaningless if attackers have been lurking in a network for months and have already planted a mountain of malware. “You might respond quickly but it’s too late,” Hanslovan points out. However, when an organization uses a combination of metrics it’s possible to obtain a more complete picture of how the organization is faring.
A key to constructing an effective security metrics framework is broad and deep visibility, he continues. This means delivering critical data to the people who matter in a form they can digest. The ideal is a unified view or dashboard for viewing results and spotting problems early. This may require some custom development. “It’s essential to have a way to measure things consistently and automatically,” Hanslovan notes.
Metrics can serve as a starting point for discussing how to evolve and advance a security strategy, delivering clues about a need for new types of products, or where to focus additional resources, Hogaboom points out. “When you have the right data available,” she stresses, “it’s a lot easier to make the right security decisions.”
Image: iStock