Reporting IT and OT cybersecurity according to one average KPI might be dangerous for your organization
Looking back at several years of IT and OT security assessments, strategy development, and remediation planning, we have come across one specific demand over and over again. Sooner or later in every strategy project, the question regarding one single KPI, one single number that sums up an organization’s entire security posture comes into the discussion. This number will often be included in the final presentation in front of the C-Level and the board to give them an easy representation to comprehend the cybersecurity posture. And this can become dangerous for your cyber organization.
Indeed, this KPI has a deeply rooted problem. It does not matter if it is calculated based on simple averages, weighted averages, or a representable dataset behind it. This single value can not describe the complex interdependencies between all analyzed domains.
Your organization is only as strong as its weakest point:
Attackers do not care about your average maturity. They circumvent all individual cybersecurity breakthrough and attack at the weakest points.
And even worse, this one number potentially hides critical security shortcomings within the organization, as a lighthouse project lifts the calculated average in certain areas.
While upper management is comforted by the good KPI, several organization areas are left vulnerable and without vision or budget to improve. In the meantime, attackers have the time and the skills to find the organization’s weakest spots to enter and, then, spread.
To prevent these types of scenarios, we believe that it is critical to provide all levels of the organization with a deeper understanding of the overall security posture. To highlight strong points and weaker areas, we at BxC advocate for a reporting structure looking at people, processes and technology to highlight which area of investment brings the most significant benefit: where to invest to close the open door in your organization?
Only if we manage to communicate the critical interdependencies between the three pillars – people, process, and technology – for all cybersecurity domains to the C and board level, we have a chance to make it truly difficult for attackers across the board and not only in individual lighthouse projects.
BxC Take Away
Let´s not be fooled by one KPI and be lost in the complexity of its calculation. Averages are dangerous in cybersecurity as they blind you from having a real understanding of your maturity.
Instead, focus any available time to provide a broader and more in-depth understanding of your organization’s strengths and weaknesses to all your stakeholders. Your organization is only as strong as its weakest point.