Skip to main content
The Panaseer logo shows a white square and a yellow square around the initial P. To the right of the P there is the copy written ‘anaseer’.
Show main menu Hide main menu

Metric of the Year: Three crucial security metrics from 2021

Our final Metric of the Month for 2021 is a roundup of the most popular metrics we’ve covered this year, based on page views – a Metric of the Year, if you will. We’d like to thank all our contributors from the past 12 months, who have given us valuable insight into the metrics and measures that help to improve cybersecurity posture. 

Barnaby Clarke
read

3rd: Ransomware protection metrics with Andrew Jaquith

For this article we spoke with seasoned CISO and author of Security Metrics: Replacing Fear, Uncertainty, and DoubtAndrew Jaquith. He’s helped pioneer Continuous Control Monitoring at Goldman Sachs and JP Morgan, and is a member of our advisory board Andy outlines a three-step playbook that attackers use to propagate ransomware:  

  1. Get in.
  2. Spread.
  3. Profit.

To protect against threat actors getting in, Andy suggests looking at metrics that represent maintaining a good security posture. That means measuring external exposure and eliminating what he calls ‘known bads’, such as ensuring your patching is up-to-date and phishing test completion rates. 

For the ‘spread’ section, Andy highlighted metrics that help to reduce the risk of ransomware propagating within the organization. This is a focus on privilege, managing service accounts, and ensuring you have multi-factor authentication in all the right places. 

And finally, we come to ‘profit’. It’s unfortunately already too late for you if the attackers are profiting, but Andy shares some metrics that will help in recovery, such as the completeness of your inventory for ‘crown jewels’ and tracking successful backups.  Here’s a dashboard we mocked up:

Ransomware protection metrics dashboard

It takes an average of five control failures for a ransomware attack to be successful. That means you need to continuously measure and monitor your security controls to make sure they are running as expected. We've created a ransomware dashboard with a similar structure in our platform. This means our customers can not only measure their ransomware protection levels, but also present them to an increasingly cyber-savvy board.

2nd: Security controls frameworks with Phyllis Lee

Thanks to Panaseer’s partnership with the Center for Internet Security (CIS) around the Controls Assessment Specification, we spoke to Phyllis Lee, one of the leading experts in security controls frameworks. Phyllis spent decades working for the US government in cybersecurity and in the last few years has turned to providing controls guidance for the global security community as Senior Director for the CIS Critical Security Controls. 

We explored what makes a good security framework – they should be achievable, provide prioritization, and, crucially, prove that what you are doing is right. Often, frameworks are generic, with loose language, and don’t always provide great guidance on how to implement them. 

That brought us to the Controls Assessment Specification, which provides more specific, prescriptive guidance for organizations on metrics to measure to effectively use the controls framework. 

It’s a relatively new concept for a framework to give such detail in advising organizations on what to measure and what good looks like. 

Phyllis also considered the future of frameworks, highlighting the importance of automation to continuously monitor your controls. This is not just to ensure compliance with a framework, but to make sure your metrics are within thresholds and you are doing what you need to do to stay secure.

Our winner: Privileged access management metrics with David Fairman

In this installment of Metric of the Month, we caught up with David Fairman to discuss privileged access management. 

David is an experienced CISO, having run successful enterprise security programs in various industries across the globe. He’s a valued member of our advisory board, a Continuous Controls Monitoring advocate, and a security metrics expert. 

He highlights some particularly useful privileged access management metrics, such as privileged accounts that don’t have an owner, or privileged account sessions that don’t have a ticket. 

Here’s how that looks in a mock dashboard:

Privileged access management metrics dashboard

David also outlines a five-step guide to improving your PAM program: 

  1. Define ‘privilege’ based on your risk appetite.
  2. Discover all your privileged accounts.
  3. Separate duties around the creation, management, and use of privileged accounts.
  4. Ensure all privileged accounts have owners.
  5. Implement enhanced controls on your privileged accounts. 

Cybersecurity, in general, isn’t easy, but PAM can be one of the tougher things for an organization to keep on top of. This article provides you with insight into some useful privileged access management metrics and best practices.   

About the author

Barnaby Clarke