Cyber security is a journey and not just a destination. In the ever-changing security landscape, regular testing and mitigation are required. To prevent testing efforts from feeling like a sinkhole on time and funding, mechanisms can be used to track the output of testing to show progress and motivate internal teams to improve their practices.
KPIs (Key Performance indicators) can be utilised in conjunction with penetration testing and vulnerability scanning to track improvement and motivate the development (or infrastructure) team to improve their work to make the environment as secure as possible.
Four security penetration testing – simple KPIs to implement:
- Regulatory Compliance
Whether this is PCI compliance, Cyber Essentials, or an unofficial client requirement getting to a “Pass” in any of these areas is not an easy task. Although, working with an experienced penetration tester can help you reach this landmark and get one step closer to compliance.If this KPI has been met it should not be put to one side and forgotten about, these standards can change with time and KPI’s should be put in place to keep this up to date
- Number/Severity of Vulnerabilities
This may seem like an obvious point but ideally, both metrics would have a steep downwards trajectory. However, there may be a tradeoff to be made between the number and severity. The output of this payoff is down to the risk appetite of the Information security managers of the organisation in question.
- Remediation Time
A good metric to track could is the amount of time to fix the issues found during a test. With our experience, this can be flexible dependent on the severity and complexity of the issue identified. As this is not going to be the standard timeframe for all issues this can be used to track issues and update all parties if there are unexpected problems when attempting to fix the vulnerabilities.
- Impact on Customers/End Users
The end goal of all security teams should be to ensure that the customers or end-users should be affected as little as possible. There are multiple ways that users can be affected. From affecting their confidence by hearing in the news about a breach or not being able to access vital services when security updates being rolled out.
Don’t let the delivery of the report be the last step in testing
Report delivery is not the end of a penetration test engagement. Tracking, updating, and remediation are the next steps for the security team to take. These steps can be used to ensure the highest level of security can be tracked with KPIs. Tracking will ensure the most value for money from the penetration test as well as improve the security of the client.
When you engage the Risk Crew Security Team for your penetration testing needs, we advise on how to track specific KPIs tailored to your requirements and security goals. We believe If you can’t measure the results, you haven’t changed anything.