As you begin to offer clients with a comprehensive cyber security solution, one of the first steps you should take is to identify which security metrics you need to measure. Why? Because you simply can’t manage what you don’t measure.
While some aspects of security—such as the integrity of the solution or provided peace of mind—may be difficult to quantify, below we’ve compiled eight essential security metrics that every MSP should be tracking.
1. Mean Time to Detect (MTTD)
Mean time to detect reflects the amount of time it takes a team to discover a potential or ongoing security incident. This metric is measured in time; the shorter the measurement, the less likely a client is to suffer from disruptions or downtime.
This metric gives important insight into the effectiveness of your security tools and team. And, MSPs should always strive to keep this number as low as possible—meaning that a potential problem doesn’t exist for long before your techs become aware of it.
2. Mean Time to Respond (MTTR)
Similarly, mean time to respond reflects the time it takes to control and remediate a threat once it has been discovered. In other words, this tells you how quickly you and your team can identify and remediate any potential vulnerabilities or security threats.
Also measured in time, the MTTR clock starts right after detection and runs until the system is returned to a known good state. Poor performance—meaning an extended amount of time—in this area is typically what contributes to high breach costs. Therefore, it’s important for MSPs to measure know what your mean response time is so that you can work to reduce it.
3. Attack and Threat Frequency
Threat frequency is the number of events or alerts being collected in a given time period. This metric can answer questions such as “how many attacks do we see every day?” or “how many phishing emails are entering my employees’ inboxes each week?”
By tracking threats on the network or its endpoints, you can understand where attacks are being targeted and what needs to be protected most. This is especially important for MSPs as you look to properly adjust decisions and focus your solution on what matters most for clients.
While you’re at it, it’s also a good idea to keep tabs on which types of threats—such as malware, unauthorized access, etc.—are being recorded.
4. Unplanned Downtime
You always want to be watching your clients’ downtime hours, but this metric specifically refers to the number or percentage of outages that were due to security incidents. Tracking this metric is important not only to understanding how much time was lost to an attack, but in ensuring that number doesn’t climb above the threshold that could push clients over the edge and cause them to look for another MSP to do business with.
5. Patch Latency
Patch latency measures the time between a patch's release and the successful deployment of that patch. This is an important metric to look at, especially in the wake of NotPetya and WannaCry, which may have been prevented with better patch management.
Tracking time to patch and the number of updated machines should be near the top of your list of security metrics. Additionally, this metric can help you look for areas of improvement with your patching processes.
6. Password Strength
This metric offers simple risk reduction by sifting out bad passwords and making them harder to break, as well as finding potential weak spots where key systems use default passwords.
By using a password cracking program, you can attempt to break into client systems and reveal weak passwords. A password’s level of strength should be expressed in average length of time required to break it; for example, did it take 10 minutes to crack or 10 hours? The ones that are crack-able in minutes might be due for an upgrade.
7. Security Awareness Training
We all know how important security training is, but how can you ensure your clients are actually following through with it, or better yet, learning anything from it? The answer is to track the training completion statistics and average scores across the client site.
Employees are like the human firewall for most businesses, so it’s important to be in the know on how many people have completed their security training. On top of that, if you’re able to see individual or team scores, you’ll be able to isolate the employees who might be having trouble and better cater your awareness materials to their needs.
8. Client Churn Rate
Continuum CEO Michael George said it best when he claimed, “the number one reason that service providers will be fired by their end-customers will be security.” If you aren’t tracking the above metrics and putting in the effort to protect your clients, you may risk losing their business for good. In fact, this churn rate is something you should be tracking, and it could give you important insight into the effectiveness of your services.
Client churn rate essentially measures your lost business; including clients who left the books, as well as revenue lost from downgrades in service. This metric is important to keep an eye on because an increase in this number could indicate customer dissatisfaction, poor service delivery, or an outdated service offering.
Handpicked for you: