Cybersecurity: Measuring Success

By Cathy Quon, Chris Harper, Kim Lewis and Sapna McCarthy

Sapna McCarthy – Emerson Consulting Manager People like to know that what they’re doing makes a difference.

Cathy Quon – Emerson Vice President For your cyber security program, you need to be able to measure whether it’s successful.

Chris Harper – Emerson Associate Director Because cyber safety behaviors are so critical to the health of your organization, they must be measured.

Benchmark and Measure. First, identify cyber-critical behaviors and benchmark them.

Cathy Quon – Emerson Vice President You might want to do some internal benchmarking. You might be surprised that there are some departments in your very own company that are practicing excellent cyber security behaviors. Then get baseline measurements.

John Wondolowski – Chief Technology Officer, CMI So I think one of the first things to really do is decide how you’re going to measure and how you’re going to benchmark. Clearly orchestrating a social engineering exercise, a phishing attack, perhaps a phone social engineering exercise – whether you do it yourself, whether you hire a third party to do it is a good way to understand what the failure rate of employees and engaging and possibly giving up their credentials. That gives you an idea what the problem.

But that’s only one attack vector. There are plenty of other tools out there that I would employee to understand and calibrate, say, what your users are doing online with company assets. There are plenty of tools to categorize employee behaviors and look at risky behaviors. So you can identify and make that one of the behaviors that you’re going to try and change with your program. After you implement your behavior change program, start measuring results.

Kim Lewis – Emerson Client Director Agree on what success is and that’s what you measure.

Cathy Quon – Emerson Vice President Whether it be the number of laptops affected by a virus. It might be the number of people in your company that use some sort of password safe instead of writing down their password on a piece of paper that’s on their desk.

Be clear what success looks like.

Kim Lewis – Emerson Client Director Identify the one thing that has the biggest impact to your bottom line. And that’s where you start.

John Wondolowski – Chief Technology Officer, CMI Some of the common measurements that you could use to benchmark the risk profile of your employee base: of course there is the phishing orchestration and then measuring how many people click on the link and then enter their credentials. That’s one element, one attack point. You can also do that for social engineering via phone and measure the hit rate, the failure rate, however you want to classify it.

Kim Lewis – Emerson Client Director That’s where the changes begin. Identify one small thing that everyone can drive toward. You measure it, make it simple. That’s how you be successful. Consider going back to your external benchmarks and see how safe your organization has become.

Cathy Quon – Emerson Vice President What you might want to do is research other companies that have done cybersecurity really well. Research that and then compare it to the program you’re actually starting. Make sure you share those stories with others. That is, publicize those best practices.

Sapna McCarthy – Emerson Consulting Manager It really helps to see this is where I started, this is where I am, this is where we’re going, to help me feel motivated.

Chris Harper – Emerson Associate Director It helps to reinforce because you see the progress toward whatever goal you’ve set for yourself.

Cathy Quon – Emerson Vice President And that’s why call centers have all those stats that are actually posted in the call center so that people get motivated and if they’re seeing that they are sliding backward, then they can figure out exactly what they can do better.