With cyberattacks on the rise, today’s security professionals are relying primarily on detection metrics – both key performance indicators (KPIs) and key risk indicators (KRIs) – as the primary means to measure the success of their security programs. However, focusing on detection metrics alone is not enough to fully optimize organizational productivity and security over time.
A debate has risen over how to balance two keys to organizational success: security and business efficiency. Enterprises today are challenged with prioritizing security, while also ensuring operational and financial success. While organizations want to provide end users with tools that are accessible, fast and efficient, we often see that security measures can encroach on these qualities.
Tactics such as multi-factor authentication (MFA), complicated password requirements, and files blocked by email firewalls work to prevent breaches and provide seemingly impressive detection metrics – but at what cost to business efficiency, as employees expend valuable time and resources? Today, many business professionals assume they must trade time and attention for the assurance of security. But moving forward, our industry should strive for solutions to achieve excellent business efficiency metrics while also running a robust security program.
When organizations fall into this pattern of sacrificing business efficiency for security, we need new solutions and a different approach to analyze and report on success. Rather than looking at detection metrics first, we should widen our focus to include business efficiency metrics when creating a security policy, to drive more holistic, effective solutions moving forward.
Most common means of measurement
In order to understand how enterprises arrived here, it’s important to understand key differences between business efficiency metrics and detection metrics. While both may be referenced using KPIs and KRIs, they relate to different areas and activities. Examples of detection metrics related to cybersecurity may include the number of botnet infections spotted per device over a period of time, the percentage of employees whose activity opens vulnerabilities for a breach, or how quickly IT teams are able to identify and spot issues (on average).
Business efficiency metrics, by contrast, focus on optimization and are the core of any performance and financial monitoring strategy – looking at measures such as sales revenue generated per employee, or average completion time for key operational tasks.
Businesses would benefit from taking a look at detection metrics in the context of how they may impact business efficiency metrics – for better or worse. Today, robust security protocols require non-security employees to turn their attention from operational priorities, ultimately slowing productivity. Randomized security awareness training, blocking emails, files, and communications, and limiting the ability to share content negatively affects the user experience and productivity.
These implications can even extend to organizations who invest significantly in advanced security technologies to improve detection, if they fail to apply them in a manner that takes both security and business efficiency into account. In a 2019 study from McKinsey, they suggest that spending resources on such solutions can do more harm than good when strategy is misguided, “creating significant inefficiencies within the cybersecurity team, thereby compromising the cybersecurity program overall.”
Ultimately, when it comes to ensuring both security and business efficiency, the effort must begin with organizations, rather than individuals, to prevent malicious content from entering the system. Entrusting end users with the responsibility to stop incoming breaches not only prevents their ability to operate at max efficiency – it also puts organizations at the whims of human error. Even if 99% of an organization’s users take every precaution, a 1% miss rate leads to a guaranteed chance of infection. Moving forward, security decision-makers should begin to take transition to a more offensive, productivity-oriented strategy—aiming to sanitize all files before they reach these employees and implement positive security measures that are business- and user-friendly, rather than relying on detection-oriented security alone.
Detection metrics—both KPIs, which include intrusion attempts and cybersecurity awareness training results, and KRIs, such as the rate of email breaches caused by employee error—are today’s primary window into how a security program is performing. However, research outlined below suggests additional actions required to collect these metrics and enact security protocols may have unintended consequences that work against employee productivity.
Part of this problem begins with a work culture where employees already report efficiency issues across the board. Recent research from Gallup suggests more than half of workers are currently “not engaged,” only giving the minimum effort required to complete operational tasks – including those tasks that may impact security. Such statistics do not bode well for a cybersecurity program that depends on end users for protection – whether they are expected to avoid any phishing emails in their inbox or create elaborate passwords to deter breaches. These also require extra diligence spent analyzing detection metrics in order to keep up with potential issues caused by an inattentive workforce.
Making metrics matter
By taking a company-led, positive approach to security, businesses can boost employee satisfaction while reducing cybersecurity risk. Compared to the Gallup poll indicating a disengaged workforce, recent research from IBM shows a potential solution: that fostering positive employee experiences results in twice the level of discretionary effort, work performance, and retention.
Creating an environment that fosters a positive employee experience requires significantly reducing the strain on employees caused by inconvenient security measures. While detection-based security solutions scan for suspicious elements and block some malicious files, they still put pressure on the workforce, can curb efficiency over time, and leave gaps in security that depend on employee vigilance to fill. Going forward, measuring detection metrics should be used in tandem with business efficiency metrics to securely optimize operations.
Gathering detection metrics should not inhibit the most critical performance indicator of an organization – employee productivity – and enterprises should begin to view this data through a business efficiency lens, identifying problems in order to implement more efficient solutions. Leaders in the industry that take this first step can implement best practices to positively impact their organization by removing the burdens caused by focusing only on detection metrics, and instead focus on a holistic, user-centric, and productivity-aligned understanding of a security program’s effectiveness.