How to Measure the Efficacy of Your Cybersecurity Program: 5 Questions to Ask

When it comes to measuring the efficacy of your security efforts, understanding how your program stacks up against peers can reveal where key improvements or investments are needed. 

Proving success in cybersecurity has always been a challenge: If you’re playing defense and nothing bad happens, was it because you’re smart or lucky? Gaining perspective on your organization’s effectiveness is a vital step in improving your cyber hygiene. 

While new exploits or zero-day attacks make headlines, the most common root causes of breaches are familiar and predictable. According to Tenable Research’s 2020 Threat Landscape Retrospective these include:

• Old, unpatched vulnerabilities

• Poor administrative and configuration processes

• Insufficient asset tracking


Understanding your vulnerability management process is foundational to assessing cyber risk

Scanning your environment and addressing unacceptable risks in a prioritized manner are the twin pillars of any effective security program.  But organizations oftentimes don’t have a complete understanding of these processes. Two critical measurements you need to have at your fingertips are:

• Assessment Maturity: This metric gives you Insight into your scanning processes to ensure your team is operating with a complete and accurate picture of your evolving attack surface

• Remediation Maturity: This metric enables you to evaluate how timely and proactive your are in mitigating critical risks


Peer benchmarks reveal where key investments are needed

By themselves, these vulnerability management process metrics don’t tell you all that you need to know — you need a sense of perspective to understand how they stack up within the context of your peer group. No matter your industry, you don’t want to be at the bottom of the barrel. But, without peer benchmarking, it’s difficult to know how well you’re really doing.

When you think about your cyber hygiene fundamentals — assessment and remediation — you need to know: 

1. How am I doing?

2. How do I compare to my peers? 

3. What specific actions do I need to take to improve? 


The answers to these questions will help you request budget and allocate resources by enabling you to  understand and communicate how you’re doing across internal business units and compared to external peers. Think of it like a professor grading you on a curve and telling you exactly what you need to do to get an “A” in the class.

Five questions to size up the maturity of your security program

1. How often do you scan the majority of your assets?


This is where your journey to maturity begins.  Answering this question with precision begins to take you down the road of understanding what resources you have internally, what’s reasonable to accomplish and what critical metrics you can obtain.


• 
With scanning in place, you can ask additional questions such as: 
• How much of your environment are you regularly scanning?

• Approximately how much time passes between scans?

• Do these behaviors vary across business units or geographies? 

• Are those areas broken out by the criticality of the asset to your business, the type of asset, geolocation of the asset, or any other factors? 

• What is the SLA requirement for each of those categories? 



The longer the scan cycle (time between scans), the longer vulnerabilities remain unidentified and unpatched.  You not only need to quantify risk, you also have to identify those risks quickly. To give you some perspective, the average organization scans their assets approximately every four days, according to Tenable Research.

2. What percentage of open vulnerabilities are you capturing?



Authentication is the first point of triage. You can’t quantify what you can’t see. With risk reduction as your goal, authenticating wherever and whenever you can is critical. At the end of the day, getting as deep and broad of an assessment on an asset as possible is a fundamental step in being able to know where risks are, what assets/business functions are impacted and what you’ll need to do to remediate and lower risk. Without knowing the scope, criticality, impact and work requirements, there’s simply no way to effectively manage risk and build toward a more mature program that can properly address and reduce risk going forward. Tenable Research shows that credentialed scans detect on average 45x more vulnerabilities per asset than non-credentialed scans; yet, nearly 60% of enterprise assets are scanned without local credentials, yielding false negatives. 



3. How quickly are you addressing high-risk vulnerabilities?


According to the Tenable 2021 Vulnerability Intelligence Report, 18,358 new vulnerabilities were identified in 2020. But only 5.2% had a publicly available exploit. You need to fix first what matters most. Reducing risk in the most efficient and effective manner requires understanding how quickly you're addressing vulnerabilities which you’ve identified to be high-risk on assets which are highly or critically important to your business functions. Understanding the nature of the threat posed by a vulnerability involves insight into the characteristics of the vulnerability that make it attractive to attackers along with threat intelligence for insight into the in-the-wild activity surrounding that particular vulnerability. You can’t afford to waste valuable resources on vulnerabilities that pose little or no threat.

4. What percentage of assets have endpoint protections in place?


Endpoint security is one necessary layer of defense among many.  You need to know if your systems have required security programs installed and you are aware of any unauthorized or potentially dangerous software installed on those assets. But this is not just an issue of malware; for example, this could involve such policy violations as having telnet open, when telnet is not allowed to be available on any corporate system. The risk of not asking this question is simply that you may not know if controls are in place everywhere you expect it to be. This is an all too common problem. Only 44% of infosec leaders say their organization has good visibility into the security of their most critical assets, according to a commissioned study conducted by Forrester Consulting on behalf of Tenable.


5. Are you reducing cyber risk across key business functions?


The Forrester study also revealed that just four in 10 security leaders can answer the question “How secure or at risk are we?” with a high level of confidence. It’s a simple question, but one that can be maddeningly difficult to answer without the right intelligence and metrics. 
At an executive level, understanding if risk is being reduced across business functions (teams, geolocations, asset types etc.) aligns with the goals of the overall business and demonstrates value and return on investment for the budget given to the security program. At a strategic level, answering this question helps the day-to-day leadership make better decisions about where the program is working best (and thus, how to replicate that to other areas) and where it’s not working so well. At the tactical level, those responsible for remediating and patching need to understand how their efforts are moving the needle in the right direction for their particular business function, as well as how their efforts are communicated up the chain all the way to the executive level. 

Without precise answers to these questions you may not know if you’re actually reducing risk or not. Further, you may miss areas of the organization which are struggling to reduce risk or are putting the rest of the organization at risk due to their inability to drive risk downward. 

Level up your security program to reduce your cyber exposure

By honestly answering these five questions, you can set your program up for success with a baseline of security intelligence, cyber risk and process integrity metrics from which to measure improvement over time. Then, by comparing your metrics across internal teams and against external peers, you can identify where key improvements are needed — e.g., your accounting department might have inadequate authenticated scan coverage; or, your overall program might not be fixing critical issues quickly enough compared to industry peers.


Wherever your program is in its maturity journey, Tenable can help by automatically tracking these key process metrics and highlighting gaps where additional investments can have the greatest impact on reducing risk. Once you have this full picture, you can begin to prioritize your efforts and play offense by actively addressing the lowest hanging fruit that attackers are most likely to exploit. 

Learn More 

• View the infographic: 5 Questions to Size Up the Maturity of Your Security Program
• Read the whitepaper: Calculating Known and Unknown Risk: The Math Behind the Cyber Exposure Score  
• Watch the videos: Measure Program Efficacy with Tenable Lumin
• Find out how Tenable can help: Request a demo