A quick note on our new “How-to” series – to help security teams build and refine their Insider Risk Management programs, we’re introducing digestible and instructional content focused on one key step at a time. We’ll share things that have worked – a few things that haven’t, so you can learn from our mistakes.
What gets measured gets managed. What gets managed gets done. Whatever the quote, whomever it originated from and whatever your stance on it, it tends to be true. I don’t think there is a company, C-suite executive, corporate strategy, business plan or program that does not require us to make “data-driven” decisions. Metrics, Objectives & Key Results (OKRs), Key Performance Indicators (KPIs) – however you define being data-driven – what you use to measure security program effectiveness frame the conversations with the Board, C-Suite, business partners – heck the organization at large.
Historically, the efficiency and effectiveness of your Security Operations Center (SOC) is the measuring stick for security strategies, programs, processes, people and technology. Industry standards bodies’ frameworks drive time to identify, time to detect, time to contain, time to remediate, time to recover metrics and we all rallied how we measure programs around them, but are they working?
Ironically, the challenge security teams face is speed. The brutal truth being that the sheer volume and variety of data exposure and exfiltration events happening today is vastly outpacing the security people, programs, policies and controls we have in place. We know this because the very “time to” metrics we love just keep getting worse. We see this is nearly every security survey done from Verizon’s DBIR to our own Data Exposure Report. See the stats from our 2021 Data Exposure Report:
Time to identify
71% of organizations lack visibility to data exposure and exfiltration events created by employees.
Time to detect
63% of organizations’ security teams cannot prioritize the data exfiltration events that matter
Time to contain, remediate, recover
54% of organizations lack response process & controls defined & documented for Insider Risk
This begs the question – when it comes to an Insider Risk Management program, what are the right metrics?
Reimagine security program metrics
In our latest Data Exposure Report, we found a real disconnect between business leaders, employees and security teams and the disconnect pointed squarely at a lack of awareness. This lack of awareness tells us when it comes to business leaders, employees and security teams, you must be communicating the wrong thing because you are measuring the wrong thing. Below are the key stats from our Annual Data Exposure Report 2022:
- Business leaders are not aware of the level of Insider Risk exposure at their company. 97% of companies have security concerns as a result of remote work.
- Employees are not aware of the level of Insider Risk impact they create for the company. 96% of companies admit the need to improve employees’ security & risk awareness.
- Security leaders are not able to measure the effectiveness of their data protection program. 74% of security teams admit they need better metrics when it comes to Insider Risk.
The fact of the matter is you lack transparent business metrics for Insider Risk, threat, data protection and security awareness. Metrics that drive awareness for the level of data exposure risk at an organization, who, when, where and how the exposure risks are created and why investments in people, process and technology are not only needed, but prove to move the needle on data risk exposure overtime.
Good news is we’ve done quite a bit of research on this topic, talked to countless CISOs, business leaders and partners and came up with 3 simple metrics. Metrics that aim to both raise awareness of data risk exposure (aka Insider Risk) as well as measure, communicate and report security program efficiency and effectiveness to the Board, C-suite, business leaders and employees.
- Insider Risk Posture: breakdown of data exposure events by risk severity (Critical, High, Moderate, Low) across an organization, by department, by user
- Insider Risk Gaps: breakdown of data exposure events by risk indicator (file-based, destination-based, user-based)
- Insider Risk Maturity: percentage change in Insider Risk posture – data exposure events by risk severity (Critical, High, Moderate, Low) across an organization, by department, by user
Insider Risk Posture metric
The Insider Risk Posture metric tells you where to start. By taking a data-driven approach to identifying and defining where data exposure exists and the magnitude of that exposure based on the business’ risk tolerance, you will see where you have program blindspots. You are armed with data to build awareness and have a transparent conversation with the board, C-suite and business leaders.
Insider Risk Gaps metric
The Insider Risk Gaps metric tells you where to focus. By honing in on the highest most critical data risk exposure events and who, what, where, when and how they happen, you uncover where you have gaps in your policies and controls. You are armed to make data-driven decisions on where to invest time and resources on policy definition and enforcement through the right-sized controls. For moderate to low risk events, you know where more targeted employee awareness training campaigns are needed. You are armed with data to make smarter decisions and deliver the business case for resources and budget.
Insider Risk Maturity metric
The Insider Risk Maturity metric tells you if you are moving the needle, how efficient and effective your program’s people, processes and technology is at reducing data risk exposure. Ideally, your program has shifted the mix. Your program is more effective because you’ve lowered the percentage of critical and high risk events happening across your organization. Your program is more efficient because your analysts focus their time on containing and mitigating critical and high risk events and less time triaging moderate to low risk events. Your program is creating more risk aware employees because you know who, what, when and where education is needed and you’re delivering it in real-time. In the end, your Insider Risk Management program is proving to reduce risk for the organization.