5 examples of indicators to integrate into your SSI dashboard

Partage

The SSI dashboard is the essential CISO management tool. Whether used for operational, coordination or strategic purposes, it makes it possible to visualize the state of information system security and to measure the gap between the PSSI (information system security policy) of the company and the reality on the ground.

Your IS is constantly evolving, and as CISO you must make quick and informed decisions. In this context, several questions arise.

  • Do you have the right metrics to do this ?
  • Is the data you have relevant, objective or even understandable ?
  • Have you integrated all the equipment present on your infrastructure ?
  • Do you have the right indicators in front of you to make decisions about the security of your business ?

In this article, discover
5 examples of performance indicators to integrate into your SSI dashboard.

What is an SSI performance indicator ?

First, let’s agree on the notion of indicator. According to ANSSI, a performance indicator (or KPI, Key Performance Indicator) is a “

statistical data combining the measurement of one or more key points and used in comparison with a history, a target value(s) and/or a threshold value(s) ”. In a simpler way, the performance indicator allows you to follow the evolution of an activity or the result of actions based on a history of this same data. Through comparisons and thresholds, it provides a decision-making tool to the CISO.

The SSI indicators generally come from the ISSP (Information Systems Security Policy) implemented within the organization. In particular, they follow the security objectives linked to  :

  • a risk analysis
  • security actions resulting from an action plan ;
  • legal obligations or compliance with standards and certifications.

Each company thus defines its KPIs according to its needs, objectives and means, to measure the effectiveness of IS security.

« To make informed decisions, it is above all essential to choose your SSI indicators carefully. And beyond that, it is the visualization of this KPI which should allow the CISO to assess the situation at a glance. »  
Baptiste David, - Head of PreSales & Delivery, Tenacy

Metrics provide the CISO with a multi-level view.

  • At a strategic level, indicators make it possible to monitor the application of the ISSP.
  • In terms of management, they make it possible, according to ANSSI,  to “control the achievement of objectives and improve the quality of service. “
  • As for the operational aspect, the performance indicators make it possible to measure the state of production, the needs and the technical means to be implemented.

In his performance table, the CISO visualizes the state of his information system in a summary form. This represents essential help in clearly presenting the situation to both management and operational teams. The objective of an SSI key performance indicator is to facilitate decision-making at all levels.

  • 1. The deployment rate of security patches and fixes per application

    The first of the key indicators on this list concerns measuring the vulnerability of your IT equipment. Patch management, the English equivalent of software patch management, consists of searching for software and operating systems on workstations and servers that are not updated.

    #Faced with the proliferation of cyber attacks, it is imperative to minimize the risk of security breaches and vulnerabilities on your information system. In 2017, WannaCry ransomware exploited a security flaw in Microsoft Windows’ SMB v1 protocol and infected more than 250 ,000  systems around the world. This is why maintaining an up-to-date IT system is essential for the CISO and his company.

    Everyone is aware of the issue – but are you up to date with the implementation of patches ? Are they supported by your equipment ? Monitoring a vulnerability indicator such as the deployment rate of security patches and/or fixes per application allows you to take a real measure of the state of your IT assets. Monitoring this data over time makes it possible to make the necessary decisions to reduce the risk of cyberattacks via unpatched security vulnerabilities.

  • 2. The volume of activities of your EDR agents on the IT equipment

    The second metric to monitor in a dashboard dedicated to the security of your IT system concerns the protection of workstations. With the advent of EDR agents, security teams now have access to a set of logs and alerts for each workstation. As you analyze your EDR agent protection coverage, you may be surprised to discover the true number of missing, outdated and misconfigured installations.

    Monitoring the threat volume of agents also allows you to more effectively target the teams targeted by cybercriminals in your company and thus take corrective actions. Did you know that 380,000 new malicious files[1] were recorded per day ? Ransomware attack, fileless malware, hijacked RDP access, lateral movement… many threats target workstations.

    By analyzing the activity of your EDR agents, you have the ability to react in the event of an attack on one of your machines and thus avoid paralysis of your infrastructure.

  • 3. The volume of processes launched by a super administrator

    The third key metric concerns the measurement of privileged access. System administrators are a prime target for cyberattackers because they provide access and management of IT resources. According to CyberArk, a vendor specializing in Privileged Access Manager (PAM), 79 % of companies have suffered an identity-related breach in the last two years.

    So who is the administrator of what? Perform periodic reviews of privileged accounts and monitor the volume of processes launched with the root user. You will then monitor the activity while avoiding leaving entry points for hackers.

    Knowledge of this indicator contributes to the evaluation of the security of the IS and its level of risks. It makes it possible to analyze the justification for access and to rectify risky situations by removing inadequate or obsolete access.

  • 4. Connection volume by MFA

    A fourth measurement data essential for the CISO to manage the security of its IS consists of measuring the security of the connections. Enabling multi-factor authentication or MFA (also known by its two-factor authentication variant, 2FA) is a key measure to protect users’ network access.

    To access an application, online account or VPN, the user must present at least two  identity verification factors. So after entering your username and password, access remains locked and requires entering a second single-use code (One-Time Password or OTP in English) received via a second email box, SMS or even via a application that generates one-time codes such as Google Authenticator, Microsoft Authenticator and Twilio Authy. Identification factors can also be biometric with the use of the user’s fingerprint, retinal or facial recognition.

     

     “In the age of Office 365 and the entire Cloud, people need to use multi-factor authentication. This is no longer an option for enterprise cybersecurity ! In Europe, it is even mandatory to offer double authentication in the banking sector. The CISO must be able to monitor this flagship indicator and its evolution in order to make appropriate decisions for the security of his company.

     

    Baptiste David, Head of PreSales Delivery, Tenacy

     

    Managing the connection rate using MFA ensures that access to applications, particularly the most critical, is secure.

  • 5. The level of training of employees

    The fifth KPI concerns measuring the level of training of employees in cyber risks. According to a study by U-Secure, an expert publisher of user awareness regarding cyber attacks, 85 % of data breaches involve the human element. The need to raise user awareness is therefore no longer in doubt.

    But how can you ensure that your employees are truly aware of the dangers and not just listened absently during the latest cyber  training? If you follow the participation rate in cyber risks and threats awareness training, are you sure you are following the right indicator ? Would an excellent rate be a guarantee of good reflexes on the part of users in the event of an attack ?

     

    “Saying “I raise awareness” today is not enough. This performance must be measured. And this is concretely what the Tenacy platform allows ”

     

    Baptiste David, Head of PreSales Delivery, Tenacy,

     

    Instead, monitor the click-through rate of your users during a fake phishing campaign ! The higher your rate, the greater the awareness efforts of your employees will be. You will have the visibility necessary for the implementation of new preventive actions. By following the evolution of this click rate, you will have the real measure of the awareness of your users and therefore the measure of your performance !

As you have noticed while reading this article, defining relevant indicators is essential to obtain a good vision of the security of your IS. Your next step, and not least, will be to determine how you will easily retrieve and aggregate your data. Choice of indicators, implementation, performance monitoring… To help you, Tenacy provides you with personalized SSI dashboards based on measurable and relevant indicators. Opening your eyes is the first step to protecting yourself !

[1] Kaspersky, 2021