Cybersecurity KPIs That Matter Most in Government

1. Percentage of Staff to Complete User Awareness Training

“Ransomware is the thing that keeps me up at night,” Coverdale says. “And the low-hanging fruit to stop it is staff training.”

Coverdale uses KnowBe4 for security awareness training of county employees. “We require 100% participation in staff training to minimize the ransomware threat,” he says.

Virginia CISO Michael Watson also advocates for awareness training at the state level.

“Our first line of defense is a cyber-ready workforce,” he says. “For every employee in the Commonwealth, we require annual security training that teaches about the strategies for identifying how hackers are gaining access to systems.”

The relationship between ransomware and phishing is well documented by Microsoft and countless other companies; many, if not most, attacks start as a click on a malicious link or file attachment. Phishing is also a main source of credential theft, which can be used for persistent attacks.

“Bad actors recognize that people are the most fruitful area to attack and target,” says Ryan Witt, vice president of industry solutions for Proofpoint. “And they aren’t just going after tax information; they also focus on people that they believe can yield a longer-term result.”

In other words, social engineering often begins in one department with the goal of infiltrating another, either to exfiltrate data or deliver a payload.

“Departments get attacked that you wouldn't normally associate with a threat actor focus,” Witt says. “We see attacks in the cafeteria function of some agencies, which isn’t an obvious target, but we don't always know why they’re attacking.”

End users’ ability to spot email scams early can save a lot of trouble later, Witt says. 

2. Patching Completion and Time-to-Patch Metrics

Exploiting unpatched vulnerabilities is a leading cause of ransomware, and cyberattacks more broadly, according to experts.

“Whether it’s host-based or network-based, 76% of intrusions can be attributed to one of 10 common vulnerabilities,” Christopher Fielder, field CTO for Arctic Wolf, tells StateTech, citing in-house security research.

State and local IT leaders concur and have taken different approaches to tracking and quantifying patching.

“Metrics we look at continually include whether systems are up to date on their OS, and where there are other patching opportunities, depending on what software and applications they're running on those systems,” Coverdale says. “We ensure that our patching program is 100%.”

Time to patch is as important as patching completion, especially as new exploits are announced.

“One of Virginia’s key performance indicators is patching critical and high server vulnerabilities within 30 days of discovery,” Watson says.

Achieving 100% patching isn’t always possible in environments with legacy IT systems. In those cases, Fielder emphasizes the importance of being aware of those chinks in the armor and compensating for them.

“Keeping a list of currently unpatched systems in your environment or out-of-date patches is crucial for knowing how at risk you are and managing that risk.”

LEARN MORE: Patch management protects vital infrastructure and services.

3. Endpoint Protection, Firewall and Email Security Metrics

Analyzing firewall and endpoint protection data is valuable for identifying the most prevalent threats and making a case for more funding to defend against them.

“I'll take those metrics, analyze them and show leadership what people are trying to do to get into our environment,” Coverdale says.

Likewise, Watson flagged firewall data as a crucial indicator for Virginia’s cybersecurity efforts.

“We are continuously measuring and analyzing attack data throughout the environment in everything from our endpoint detection tools to our network firewalls,” he says.

Coverdale also closely monitors email security metrics obtained through Proofpoint.

“We've deployed tools that minimize what gets into the hands of our employees, and we also track those,” Coverdale says. “We tweak them as much as we can. I'd rather have more false alarms with email security than fewer false alarms because I want to be tight on my email hygiene.”

Multifactor authentication across all users is also an important KPI for Santa Barbara.

“We're a somewhat noncentral operation, so we have a lot of departments that have their own IT and security staff,” he says. “We’re trying to get everybody onto multifactor authentication.”

4. Time to Recovery

Given the importance of business continuity, post-attack recovery is heavily prioritized in the public sector.

The rule, says Coverdale, is to be ready for when — not if — you’re breached.

“I don't begrudge any agency that's been hit by ransomware, because there's no cocoon around our environment to prevent an attack,” he says. “But I begrudge an agency not having appropriate backup systems that are air-gapped from that attack.”

For Santa Barbara, time to recovery is an important consideration, and backup and recovery functions are prioritized.

“To be able to restore and get back into business within two days is a success story,” Coverdale says.

RELATED: In West Chester, Pa., backup and recovery augment cyber resilience. 

Detection and Response KPIs Need Closer Scrutiny, Experts Say

In a perfect world, all public sector agencies would also rigorously track mean time to detect (MTTD) and mean time to respond (MTTR) to cover the detection and response elements of the National Institute of Standards and Technology’s Cybersecurity Framework, say experts from Arctic Wolf, Proofpoint and Palo Alto Networks.

Government IT leaders acknowledged the importance of MTTD and MTTR for internal purposes, but didn’t flag it among their priority KPIs.

“There's not enough time, not enough resources to apply to elevate the whole spectrum of cybersecurity to the point that you're as protected as you can be,” Coverdale says. “So, I emphasize protect and recover; that’s where most of my funding goes.”

The decision boils down to a lack of resources to manage these systems.

“Its not about the money for me to go out and buy stuff,” Coverdale says. “I need to have the resources to support the stuff I buy.”

Artificial intelligence is a possible avenue toward filling workforce gaps and improving threat detection, but that risks exacerbating alert fatigue.

“Some organizations say, ‘I don't need more alerts, I need something to help me wade through those alerts,’” Fielder says.

One way around this is to use managed security services, such as a security operations center that can assist with detection and response. With help from MS-ISAC or a private sector SOC provider, resource-strapped agencies can be better equipped to focus more on MTTD and MTTR, Coverdale says.

“A SOC is a good service that supports our security information and event management,” he says. “It’s a very viable option, especially for smaller organizations, because it minimizes the investment for resources and people.”