A fast way to ensure that the cybersecurity program for your business fails is by implementing all the necessary controls, then abandoning the program and rejecting any responsibility for continuous monitoring and improvement. We all know how fast the digital landscape is evolving, yet many business owners refuse to acknowledge their responsibility for keeping their business up to date with it. However, there is sympathy for this mindset; we all like it when we can just plug things in and have them work consistently and for a long period of time. Business schedules can become full pretty quickly, and nobody wants to have to do extra work that doesn't offer any visible return. This is even more understandable in small business environments, where oftentimes a small handful of employees have to juggle large workloads among themselves.

However, small business owners still need to understand that they cannot keep cybersecurity responsibility cast to the side. You can install all the fancy new technology you want and have it work great for the first few years. But around the five-year mark, components will start breaking and falling behind as new models emerge into the market. Before you know it, you're stuck using Dell OptiPlex desktops running Windows 7 in the year 2026, and your cyber risk situation is critical.

This all needs to be avoided, but to do this, you need to justify the continuing maintenance and improvement of your cybersecurity program, both to your stakeholders and yourself. This is why most enterprise cybersecurity managers implement key metrics and indicators to measure the effectiveness of their programs. Recall that the main objective of a cybersecurity program is to mitigate cyber threats and manage cyber risks within the bounds of the organization's risk appetite. Therefore, one of the best ways to measure the effectiveness of your cybersecurity program is through Key Risk Indicators (KRIs).

ISACA has provided four standard criteria that should be used by organizations to select KRIs.

  1. The potential impact of the KRI, or the likelihood that the indicator will identify potential risks that are significant to the business.
  2. The effort required to implement, measure, and support the indicator on an ongoing basis
  3. The reliability of the indicator as a good predictor of risk
  4. The sensitivity of the indicator, meaning that it is able to accurately capture variances in the risk

This leaves room for you to pick and choose specific KRIs that you feel are appropriate measurements of your organizational risk environment. In addition to KRIs, cybersecurity programs should also be measured with Key Performance Indicators (KPIs) that more directly observe the performance of implemented security controls.

ITIL provides nine standard KPIs to be used for cybersecurity programs.

  1. Percentage of the decrease in security breaches reported to the service desk
  2. Percentage of the decrease in the impact of security breaches
  3. Percentage of the increase in SLAs with appropriate security clauses
  4. Number of preventive security measures the organization implemented in response to security threats
  5. Amount of elapsed time between the identification of a security threat and the implementation of an appropriate control
  6. Number of major security incidents
  7. Number of security incidents that created service outages or impairments
  8. Number of security test, training, and awareness events that took place
  9. Number of shortcomings identified during security tests

Feel free to select metrics and indicators for your cybersecurity program at your own discretion. They should be easily applicable to your organizational environment. Once you have selected key metrics and indicators, make sure to document them in a straightforward checklist to be used for future assessments/audits of your program.