Best Practices for Cybersecurity Performance Management
If you’re a cybersecurity professional, there might be three things keeping you awake at night:
- The job is getting busier and harder as threat of a breach is ever increasing
- You’re working too hard and burnout is prevalent in the industry
- You’ve got no means of demonstrating the results of your hard work and therefore don’t feel appreciated or sufficiently rewarded for your efforts
It’s not a pretty picture.
Unlike many other industries where results can be seen in sales figures, client wins, lives saved or happy customers, cybersecurity doesn’t provide an easy way of managing performance. A team could patch every vulnerability it’s made aware of, enforce strict IT policies across its workforce and have the best insight and knowledge to work with and a breach could still happen. Conversely, a team could have few resources to protect its business and go without an attack all year. Is one team more successful than the other?
Even though it’s incredibly difficult to incentivize and measure the performance of cybersecurity teams, finding an appraisal method is crucial if a business wants to retain its top talent. In this article, I’ll set out some options for cybersecurity teams to put in place to manage and reward performance.
Cybersecurity Talent Performance Management
As mentioned above, in vulnerability management, it doesn’t work to measure performance by the number of vulnerabilities patched. This is because they can vary in terms of the ease and speed at which they can be patched; whether they’re an accepted risk or not and how critical they’ll be to the business if they were exploited. There are also vast differences in the resources teams have at their disposal: Size and capacity of the team, available solutions and patches and skills and knowledge.
Due to the sheer volume of vulnerabilities being identified each day, prioritization is key. To do this effectively, you have to tackle vulnerabilities in order of their criticality to your business. This will ensure your business is as well protected as it can be with regard to the team capacity and resources.
By setting a performance management program that is based on the results gained by using this method of prioritization, you will have a clear indication of how well your team is doing. There are three ways you can do it.
Option One: Empower Your Team to Set Performance Scores Themselves
Your team has a solid understanding of where the greatest risks are and how different vulnerabilities will affect your business. They are also well placed to determine how much effort each exercise will require. So why not use this insight to create an appraisal system that they’ll find fair?
Work with the team to establish a performance management system by setting scores for solid decision making (i.e. whether to accept, patch or remediate) and patching different vulnerabilities. The way this could work is that the vulnerabilities identified as most critical or most challenging to tackle would get a higher score compared to those that are simple or less relevant to the business.
At the end of each month or quarter, you could add up the points achieved by each team member and request their perspective on their efforts to gain a well-rounded summary of performance.
Option Two: Use SLAs
Every business has service level agreements (SLAs) in place with customers or partners to set out the expectations for performance and agree on consequences if targets are not met/exceeded.
Why not align your team’s objectives to the business’ SLAs? Do so by looking at the following factors:
- Clear and accurate prioritization of vulnerabilities from high criticality to low
- Evidence of a reduction in deferred risk and monitoring of accepted risks
- Time taken to resolve a critical vulnerability from the point it was identified.
If no business SLAs are in place, set starting measurements for each of the above and then calculate the change each month to determine an accurate benchmark.
Option Three: “Personal” Personal Development
Based on the theory that committed, hard-working individuals will do all they can to grow, improve their abilities and knowledge and strive for greater performance, why not set targets based on their efforts to improve their expertise as a cybersecurity professional? This can be split into:
Personal Growth
Set up a record of their efforts to maintain or develop their knowledge and skills through reading, training, mentoring, asking questions, shadowing and more. The record would be updated weekly to show commitment and consistency.
Decision-making and responsiveness
Looking specifically at the job at hand, get weekly reports from each team member about the speed at which they dealt with vulnerabilities and the decision-making process they went through to handle them.
Teamwork
While personal development is important, you need your team to work together and help each other. Find ways to track teamwork; perhaps by asking the team to provide examples of where a colleague has helped with an issue or has supported them in their development.
Performance management in cybersecurity is a huge challenge, but it’s one you should try to overcome if you wish to keep your top talent and keep your own business secure. If your team can provide evidence that they’re managing vulnerabilities effectively by prioritizing and tackling them in order of criticality to your business, then you can build an appraisal program around that. The program you build will also look at many other factors of personal development such as desire to learn, alignment to business goals and decision-making abilities. This will motivate your staff and reward them for their hard work and dedication.
