NIST Cybersecurity Metrics

by caliber | September 22, 2020

Metrics are a passion of us at Caliber Security. They provide answers to key questions:
• Should we invest more or less in security?
• Are we meeting commitments?
• Which groups are top performers?

SIRA started a project to define metrics based on the NIST Cyber Security Framework (CSF). They approach metrics with a construct we love and also use: Goal, Question, Metric (GQM). In our experience, we’ve had success with some the following key approaches to successful metrics:
• Every metric must have a defined target. This value is negotiated across stakeholders with the control owner ultimately accountable.
• Whenever possible, the unit of measure should be a % (e.g. % systems in CMDB compared to discovery scans). I found when most metrics are percentages, it’s easier for stakeholders to review and understand. Some metrics should be counted, like the number of H,M,L incidents per quarter.
• Metrics should be defined where higher values are considered “good” (e.g. % vulnerabilities mitigated per SLA). This really improves visual communication and makes it easier to set targets consistently. Of course, this doesn’t apply to incident counts!

The SIRA team took the approach to define a metric for every CSF control objective. This may be the most comprehensive approach; however, a lot of time will be spent defining metrics that aren’t used.
An important aspect when defining metrics across a control framework is to embrace that many objectives don’t lend themselves to sustained, target-based metrics, like “Priorities for organizational mission, objectives, and activities are established and communicated”. Many objectives should just be assessed during regular risk assessments.

We took some time with the CSF and, for each control objective, assigned a Metric Priority rating:
• Priority 1: most valuable, implement first
• Priority 2: consider implementing second
• Regular Assessment (RA): control objective is better suited for periodic assessment
• Covered: when multiple control objectives are covered by one metric

We then defined metrics for the control objectives. For some organizations, many of the RAs can be good metrics, they just didn’t pass our internal GQM bar. Beyond the CSF metrics, Caliber also has nine more that we track. A full example of our CSF metrics and prioritization can be viewed here.

Defining metrics and consistently tracking them are vital for organizational growth and improvement. Need help determining what your company should be tracking? Just contact us at info@calibersecurity.com