Cybersecurity KPIs for the SMB

When I talk about security for the SMB, the go-to barrier is insufficient resources to invest in security. While I’m not denying that limited resources for a smaller organization can constrain your options when it comes to building your own security solution, having KPIs to measure the risk you are facing, and the progress you are making in mitigating it, can help you gain access to said resources. Unfortunately, some of the KPIs dictated by so-called “best practices” are really meant for the larger enterprises who have already invested in cybersecurity people, processes, and technology. In this post, I’ll take you through the KPIs you need to demonstrate improvement over time, and considerations for how you capture these indicators – without presuming you already have an advanced cybersecurity program to feed vanity metrics.

What are the Cybersecurity KPIs for the SMB?

There are two kinds of KPIs when it comes to cyber: proactive and reactive. Proactive metrics refer to behaviours we take before an incident to mitigate the risk of it happening (or happening again), or minimize the damage that can occur when it does. Reactive metrics are about the actions taken by our team, or our solutions, once an infection, breach, or indicator of compromise is detected. Keep in mind that when communicating any KPI there is a responsibility to report beyond the quantification of what is happening, to get at a meaningful representation of what this means for your SMB – in other words, articulating the risk to the business, and the costs associated with it in terms of money and time. While this may sound daunting, it should ultimately help you demonstrate the change in risk to your leadership team to drive good decisions. Or, if you’re already invested in your own cybersecurity program, this should (Read more...)