You need to measure success in IT security. If you don’t, your requests for tools, resources, and budgets are going to be ignored. That’s not the only reason; measuring IT security through KPIs helps you perform better as a manager. You can recognize staff excellence by pointing to their performance and help them advance in their careers.
There’s one final reason you need to develop IT security maintenance key performance indicators. When everything is going smoothly in IT security, KPIs demonstrate your proactive efforts to maintain the organization. Without them, you face an “out of sight, out of mind” challenge in that IT security becomes invisible until the next crisis occurs.
1. Patch Management Key Performance Indicator
Overview: Every month, Microsoft and other technology providers release updates and patches to their software. Many of these updates are designed to eliminate security vulnerabilities. However, these patches only provide value if you implement them quickly on all your systems. If you act slowly, you face increased hacking risk exposure.
Example KPI thresholds:
- Green (i.e., acceptable): 100% of patches are deployed within 48 hours of release.
- Yellow (i.e., acceptable but requires management action): 100% of patches are deployed within five business days of release.
- Red (i.e., unacceptable security risk): 100% patch deployment takes more than five business days.
Estimated work effort and resources:
- Depending upon the size and complexity of your organization, you’ll need to appoint at least one manager to oversee patch deployment. If you have more than a dozen computers, you’ll also need to use a monitoring software tool to create your KPIs.
Tip: Define the scope of this KPI to focus on the most critical systems. For example, consider focusing the KPI on your servers first.
2. Inactive User Account Management Key Performance Indicator
Overview: Every year, employees change roles and leave your organization. As a result, you’ll start to have inactive user accounts. Since they’re inactive, they’re unlikely to be managed well. That’s why we recommend tracking this risk exposure over time to see if your organization is addressing this exposure.
Example KPI thresholds:
- Green (i.e., acceptable): Inactive user accounts are detected and deleted within five days of an employee change.
- Yellow (i.e., acceptable but requires management action): Inactive user accounts are detected and deleted within 30 days of an employee change.
- Red (i.e., unacceptable security risk): Inactive user accounts take more than 30 days to be removed.
Estimated work effort and resources:
- Start by installing an identity management software solution to monitor your user accounts. Next, you’ll need to guide your people managers on their responsibility to remove these accounts. Finally, you’ll need to have an IT security manager generate the KPI report monthly.
3. End User Security Experience Key Performance Indicator
Overview: Traditionally, IT security leaders haven’t emphasized the end user experience. They imposed security restrictions, and users simply had to live by those rules. Unfortunately, this rule enforcement attitude means that some users resent IT and will avoid IT governance by using cloud services and other non-recommended solutions. That’s why we recommend designing a KPI to measure the end user experience.
Example KPI thresholds:
- Green (i.e., acceptable): Average end user satisfaction with IT security is 7 out of 10 or higher in the annual survey.
- Yellow (i.e., acceptable but requires management action): Average end user satisfaction with IT security is 5-6 out of 10 in the annual survey.
- Red (i.e., unacceptable security risk): Average end user satisfaction with IT security is 4 or lower in the annual survey. This level suggests a significant problem, such as poor treatment of end users, significant delays, or complaints.
Estimated work effort and resources:
You’ll need a survey tool such as SurveyMonkey to gather responses from end users. Additionally, you’ll need support from an IT analyst to design the survey, promote it, and prepare the KPI reporting.
What Other KPIs Could You Include?
The above three KPIs are three ways to monitor and evaluate IT security maintenance performance. However, large organizations may have a need to develop additional measures. In those cases, look at measuring the following areas:
- Password policy compliance: Measure whether your password policy is followed in practice. You might also choose to measure biometric authentication usage if you’ve deployed that technology.
- Annual cybersecurity training completion: Measure employee understanding of cybersecurity best practices.
Single Sign-On (SSO) coverage: Measure what percentage of your systems and cloud services are covered by your Single Sign-On software solution.
