How are you measuring InfoSec KRIs and cybersecurity metrics?

Avoid analysis overload with focused risk and performance indicators

Kaitlyn Archibald
Product Marketing Manager, GRCP
May 4, 2022

Blue and violet gradient

In today’s data-driven business operations, delivering meaningful cybersecurity metrics is essential to measure the value of your business resources and progress made toward your business goals.

The sheer amount of security tools in play at a given organization can make aggregating insights across systems a challenge. Often there are so many data points to connect, identifying where to start can be overwhelming. A GRC solution can help organize and structure data for daily reporting or harmonize data across security, regulatory, and internal compliance objectives.

Beyond the internal challenges around structuring data, an added layer of complexity involves understanding what metrics your market is benchmarking. Having tailored cybersecurity metrics is a strategic initiative to protect the business and work toward operational efficiencies in line with your core business drivers.


What are the cybersecurity Key Risk Indicators (KRIs) you should be tracking?

Having insights into focused perspectives and evidence of KRIs can help your organization evaluate your overall risk posture. Understanding the magnitude and extent of your risk exposure requires a detailed mapping of operations across your business network, IT, and security asset infrastructure and control practices. 

We’ll outline some of the insights that can be drawn from these cybersecurity metrics and propose questions to consider in analyzing your business operations. 


Balancing and Prioritizing Mitigation Efforts


Number of critical assets with known vulnerabilities

One of the first variables to consider here is, what are my critical assets? Secondly, how many known system vulnerabilities do I have? By layering these two data points, we can quickly prioritize efforts to ensure our core operations’ ongoing continuity.


Internal vulnerabilities vs. external vulnerabilities

Depending on your network, the title of this cybersecurity metric could be solely focused on external vulnerabilities across different divisions of your supply chain. Vulnerabilities outside of your control can cost your business much more than initially evaluated on a vendor contract across performance, schedule, and quality of service. If the extent of your vulnerabilities is disproportionality distributed across third-party relationships, business data could be at a higher risk.


Frequency of review of third parties 

When you consider the ongoing nature of how you evaluate your own internal operations, it is equally important to regularly review and assess your third-party network. There are a number of factors that can cause security best practices to lapse within an organization. Change management or a shift in priorities can impact operations outside of your immediate oversight. It is essential to have periodic check-ins to ensure you have an up-to-date understanding of controls and security policies outside of your internal operations.

Beyond scheduled check-ins, your business should also consider risk-triggered vendor assessments based on your monitoring and risk management practices. Fluctuations in external factors that impact your business will also impact upstream and downstream suppliers and partners. Some of these changes may include new advancements in technology, shifts in the competitive landscape, socioeconomic conditions, or updates to the regulatory environment.


Enhancing Confidence in System Access with Cybersecurity Metrics


Who has “superuser” access?

Viewing this metric in line with an understanding of who your key risk managers and admins are is a good indicator to build confidence in your overall access controls. Often, delegation can accomplish specific tasks, which can require a higher level of access than you would traditionally distribute. But, maintaining extended “superuser” access can leave you exposed to a handful of vulnerabilities. First, individuals could unknowingly compromise system settings impacting the execution of certain functionality and the quality of data over time. Secondly, extended access could expose sensitive or privileged information to users who do not have a role in the processing activities for intended data.

Having complete and flexible role-based access can help organizations better adapt “super users” to a limited number of individuals who can then adjust settings as needed for subsequent team members.


Number of days to deactivate former employee credentials

Regardless of any malicious intent from employees, there is no longer an appropriate use-case for accessing company systems outside of personal employee data. It’s crucial to promptly uphold access deactivation and reduce the probability that company data is misused or inappropriately accessed. This KRI can be an indicator of potential vulnerabilities for various threats. Alternatively, this cybersecurity metric can also be a KPI for employee offboarding. Analyzing the time it takes to deactivate employee credentials is also a great example where companies could implement automation to trigger access controls and permission updates tied to an HR database of employment status and role.


Frequency of access to critical enterprise systems by third parties

How often are third parties accessing your critical assets or proprietary information? Understanding access trends and frequency can help monitoring systems identify changes or abnormalities that could be potential threat agents, exploiting access points or system vulnerabilities.


Evaluate Your Monitoring and Response Initiative


Mean time to detect

How long are incidents flying under the radar or outside of preview? A low mean time to detect is an excellent indicator that your monitoring activity and reporting channels are well functioning and adequately utilized. Alternatively, if incidents are going unreported for an extended period, this could be an indicator of gaps in your security tools or cultural challenges in understanding security initiatives.


Mean time to resolve  

Measuring how long it takes to resolve an incident can be a good indicator of overall business continuity and general risk management preparation. Taking an averaged approach, you can normalize against outliers to understand if your incident response is appropriately empowered.


Outage as a result of an attack

Time is money, what is the value or loss that a company incurs due to an incident? Calculating downtime due to an incident or Denial and Service Attack (DDoS) can help you quantify loss across your business. Once you have a quantified downtime, you can analyze the extent of the impact on your organization’s ability to operate across business functions. This cybersecurity metric is a KPI to explain and support your overall risk management program.


Reinforcing Security Best Practices


Number of completed training courses

This metric can help deliver additional context to evaluating the efficiency of your controls if they are underperforming; it may be an education gap or opportunity. Identify the percentage of stakeholders who have completed training courses for policies related to security practices. These policy metrics can help you identify if there are courses in your training library that have not to be promoted or distributed that could help correct behavior?


Number of passed attestation quizzes

Beyond completed training courses to understand the distribution of best practices and policy guidelines, we can then dive deeper into evaluating the number of passed attestation quizzes. Does this metric correlate with our evaluation of how stakeholders execute and perform this control in practice?

Having KRIs that can fuel KPI discussions across your business will help enable your overall enterprise risk management program. Having a dynamic and rich data structure can help you organize and correlate data across risk elements across assets, processes, threats, vulnerabilities, and custom risk attributes and qualitative metrics. This flexible structure provides additional context in line to translate risk into business impact as it relates to your organization across your company.


Request a demo from our team of GRC professionals to see how OneTrust’s flexible structure and dynamic reporting engine can model these cybersecurity metrics or unique KPIs to your business.

You may also like


Third-Party Risk

Staying vigilant: 7 practical tips for ongoing third-party risk monitoring

In this webinar, we'll share seven practical tips for effective third-party risk monitoring, helping you to identify new risks and take timely action to protect your business.

August 02, 2023

Learn more


Third-Party Risk

Automating third-party management workflows: 5 ways to drive alignment across teams

Join us as we explore how automating third-party management workflows streamlines processes, drives alignment across teams, and reduces reduntant work.

July 19, 2023

Learn more


Third-Party Risk

Are your third parties a privacy compliance liability? 5 tips to reduce your exposure

Join our webinar and learn how to create an effective, privacy-focused third-party risk management (TPRM) program that streamlines recordkeeping and reduces your risk exposure.

July 05, 2023

Learn more