A CIO guide to building a dashboard for cybersecurity

KPIs, metrics and other must-haves hospitals should track continuously to protect medical and patient data.
By Bill Siwicki
12:41 PM
Share
Staff monitoring security.

In this day and age when healthcare provider organizations are constantly getting slammed by black hat hackers, CIOs and CISOs need to keep a sharp eye on all the cybersecurity efforts underway and on all kinds of metrics and performance indicators that show where they are safely protecting data and where there may be holes in defenses.

This is where a security dashboard comes in. Security dashboards are the keys to the security kingdom; they showcase everything a CIO or CISO needs to know about their security posture. And more CIOs and CISOs are coming to depend on their security dashboards to plan strategies and tactics.

What the dashboard tracks

A good security dashboard needs to include the following for a specified/measured time period: An indication of current threat level to the organization; an indication of events and incidents that have occurred; a record of authentication errors; an indication of scans, probes and unauthorized access, and an indicator if those key measures are up, down or unchanged; brute force attacks against the system and non-compliant devices; policy violations; malware events; and phishing events, said Karl West, chief information security officer at Intermountain Healthcare in Salt Lake City, Utah.

Security dashboards, naturally, should shift depending on the audience, added Anahi Santiago, chief information security officer at Christiana Care Health System in Wilmington, Delaware.

“The information that is presented to executive management will differ from what is presented to front-line leadership,” she said. “Ultimately, any dashboard should focus on measuring elements that present the highest risk as well as those that provide visibility into the effectiveness of security controls.”

The level of detail and measurement should be commensurate with the audience, she added. Front-line staff are generally presented with detailed technical metrics specific to the controls that are employed to manage risks to existing and emergent threat vectors, she explained. Leadership is presented with a rollup of those metrics and the information is articulated in terms of business and enterprise risk management, she said.

“We have multiple security monitoring solutions that we outsource and, as a result, our Security Operations Center partners have very sophisticated tools that they use to analyze the activities on our network in order to make a determination whether or not to get our IT resources involved to do further investigation on any suspicious activity,” said Michael Maksymow, CIO at Beebe Healthcare in Lewes, Delaware.

From these partners, Beebe Healthcare typically gets the higher level operational dashboards and reports – for example, number of covered assets, newly discovered assets, decommissioned assets, number of threats detected and their risk levels, etc. – on a daily, weekly or monthly level. However, Beebe does have two internal dashboards that it uses as daily work tools: first, a Security Risk Tracker, and second, a Phish Fail Rate Dashboard.

“The Security Risk Tracker is a compilation of all risk findings from any self or external audits that is used as the operational team ‘worklist’ and also serves as an important component to the strategic planning and budgeting processes,” Maksymow said. “The information captured in this report is simply the finding itself, the source of the finding – for example, 2018 Finance Audit, IT Controls – the risk/task ‘owner’ who is accountable to see the risk remediation is completed, assets involved, a risk rating based on the perceived likelihood of occurrence and the potential impact should it occur, remediation actions, expected completion date, actual completion date, and the risk finding’s status.”

The risk rating is a colored rating using red, yellow and green depending on the level of risk and is used to draw attention to the visual cues more easily. All findings with a status of “closed” are kept in the tracker for historical purposes, but are filtered from the view to ensure only active risks are being presented.

“This Risk Tracker is reviewed weekly in our multidisciplinary Network, Operations & Security meetings where barriers, progress and next steps are discussed,” Maksymow said. “The accountability for the goals and measures is quite easy using the tracker. The tracker is transparent, discussed in a weekly forum with the multidisciplinary team comprised of their peers.”

The Phish Fail Rate Dashboard is used to track the number of users who are sent an internally generated phishing email (denominator) and the number of users who’ve failed the test (numerator). This dashboard depicting the percentage of phish fails is updated and published to leadership on a weekly basis to monitor and track the progress of Beebe’s phishing education program.

Infosec dashboard must-haves

There are many things a healthcare provider organization can track and measure on its security dashboard. But there are some “must-haves” that every security dashboard should include.

“Incidents, events, threats and known vulnerabilities,” said West of Intermountain. “These are the leading indicators that need to be watched and tracked to prevent incidents.”

Again, it depends on the audience, but at the very least, a security dashboard has to provide clear visibility into the risk landscape, said Santiago of Christiana Care.

“From my perspective, some of the must-haves in any security dashboard should include the areas of training/awareness, vulnerability management, third-party risk management, incident management and overall risk management,” she explained. “At the detailed level, those metrics include the results of phishing campaigns, measurement of high-risk vulnerabilities resident on devices, high-risk items on the risk register, exception tracking and potential security incidents.”

Examples of key operational indicators come from security technologies performing detection and protection functions, such as mail gateways, web filters, perimeter and end-point malware products, firewalls, and others, said David Bailey, director of security services at CynergisTek.

“Some examples of metrics include the number of URLs by filtered content, number of data downloads, percentage of clean mail versus threat mail, or number of authorized access attempts, to name a few,” he said. “Examples of compliance tracking includes indicators such as the percentage of devices encrypted, number of user-initiated encrypted emails, percentage of devices without endpoint protection, number of devices remotely wiped or auto-wiped, percentage of organizational patch compliance, percentage of security awareness and training, and percentage of disaster recovery tests or incident response tests completed.”

Incident tracking may include the number of identified, open or closed cyber incidents, number of data loss prevention incidents by policy type, or number of employees sending data externally, he added. And lastly, risk mitigation tracking includes metrics such as the number of high, medium and low risks as it relates to the plan of action or corrective action plan, he said.

Key performance indicators and metrics

Once tracking is in place, a security dashboard must provide clear data on performance indicators and metrics. It’s the meat of what is being studied.

“Good performance indicators are those that can measure the effectiveness of controls including adherence to operational targets and organizational policies and procedures,” said Santiago. “Such metrics should provide the organization with a good understanding of whether the goals set forth for threat management are actually being met.”

The value that this provides is not only transparency of risk management but a business justification tool should the resources allocated to security lack the capacity to manage risks to the appetite of an organization, she added.

“These metrics should answer the question of ‘are we meeting the thresholds set forth by the organization,’” she explained. “Some examples include mean time to patch, mean time to detect and respond to potential incidents, average window of exposure, and number of exceptions/types of exceptions.”

One must know and understand the health and protection of one’s data, devices, servers and endpoints, said West.

“Stating they are encrypted or that they have a password is not sufficient,” he said. “You need to track vulnerability remediation times.”

At Beebe Healthcare, the Phish Fail Rate is an organizational Quality & Safety goal and is reported quarterly to the board’s Quality & Safety Committee, said Maksymow.

“Although the phish fail percentage is reported via a visual dashboard, the details that make up the report are analyzed by the IT security team to hone their educational program, including remedial training for those who have failed more than once,” he explained. “The impact of our remedial training is not only designed to foster heightened internal cybersecurity hygiene and awareness, but to also influence all employees to embrace cybersecurity awareness as a necessary daily lifestyle at work, at home and in the community.”

Accountability

So once a security dashboard is up and running, tracking key components and measuring important indicators, the question becomes, how does one hold staff accountable for security as viewed through the eyes of the security dashboard?

West said simply through the creation of scorecards that measure both compliance and maturity.

Santiago of Christiana Care said, “any goals set forth to manage security risks must be supported by executive management and communication of that support has to come from the top down. It is a lot easier to ensure accountability when there is a common understanding of leadership’s expectations.”

To that effect, continuous communication on security metrics, performance and transparency into the work associated with responding to those measures is key, she said.

“Metrics cannot be something that is placed on a wall only to be revisited the following month,” she said. “Metrics have to be actionable and the results of associated actions must be communicated in order to achieve their intended results.”

Tracking process

On the tracking front, Santiago continued: “The information security team, led by our program manager of cyber risk management, plays point in the process. Although the metrics are collected and reported by areas including and outside of the security team, he does a great job of working with the various teams to gather the content and to make sure that it is presented in accordance to the audience.”

The measurements vary depending on the type of control that is being measured but generally there is a goal that has been set forth and all of the measurements point to whether that control is working as intended, she explained.

“For example, there is a goal for phishing campaigns and we measure over a period of time whether those goals have been met,” she said. “The outcome in response to that measure is to tailor our training and awareness efforts to ensure we are driving down risk. The same goes for vulnerability management, incident management, etc.”

How to tell if the dashboard is working

So when all is said and done, healthcare CIOs and CISOs must know whether or not their security dashboard is working as it should. There are various ways to figure this out, the experts say.

“We have a red team – verification and validation – and internal audit to measure and assess the controls we specify and the scorecards we define,” said West of Intermountain Healthcare.

There is a direct relationship in the use of dashboards to influence or make decisions versus the required frequency of updates, said Bailey of CynergisTek.

“Regular review and use of dashboards should be a standard operating procedure for every security team,” he said. “Daily, weekly and monthly checks are appropriate based on the type of information captured. Operational indicators generally require more frequent updates whereas compliance and risk indicators are less frequent since they require projects and mitigation tasks to demonstrate improvements.”

All metrics are presented over a period of time and in alignment with organization goals so they provide a clear picture of how the risk management landscape is trending, said Santiago of Christiana Care.

“Evidence that a dashboard is working can be seen in how the organization responds to the information,” she said. “If there is little action or indifference to the metrics, it is clear that the dashboard is not working as intended. However, if resources, whether people, process or technology, are realigned to ensure that we are achieving the intended goals, the dashboard has been effective.”

Security dashboard checklist

Following are what cybersecurity experts say should be on your security dashboard. Are you prepared?

  • Current threat level to the organization.
  • Events and incidents that have occurred.
  • Authentication errors.
  • Scans, probes and unauthorized access.
  • Brute force attacks against the system and non-compliant devices.
  • Policy violations.
  • Malware events.
  • Phishing events.
  • Detailed technical metrics specific to the controls that are employed to manage risks to existing and emergent threat vectors.
  • Number of covered assets.
  • Newly discovered assets.
  • Decommissioned assets.
  • Number of threats detected and their risk levels.
  • Clear visibility into the risk landscape.
  • Areas of training/awareness.
  • Vulnerability management.
  • Third-party risk management.
  • Incident management.
  • Overall risk management.
  • Mean time to patch.
  • Mean time to detect and respond to potential incidents.
  • Average window of exposure.
  • Number of exceptions/types of exceptions.
  • Phish fail percentage.
  • Impact of remedial training.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com