How IT pros can better track and report cybersecurity KPIs

"What's measured is managed," as the saying goes, but the questions of what to measure, how to report it and how dashboards should be customized are just as important, says the CISO of Highmark Health.
By Mike Miliard
10:14 AM

Photo courtesy of Highmark

More than ever, provider and payer organizations understand the value of analytics and data visualization, and have become adept at tracking and reporting a galaxy of metrics and key performance indicators to monitor their clinical, financial and operational wellbeing.

This process is equally important when running and adapting effective cybersecurity programs, as Omar Khawaja, chief information security officer of Highmark Health, will explain next week at the HIMSS Healthcare Cybersecurity Forum.

In his session, "Measuring Cybersecurity Program Metrics," he'll show how he has overhauled his cybersecurity reporting and metrics communications – offering tips on how to build out an effective reporting platform and giving examples of program templates that have served him well.

"What's measured is managed," said Khawaja, quoting the famous business maxim from consulting pioneer Peter Drucker.

But measurement has its limitations. And too many organizations take a haphazard or gratuitous approach to the KPIs they track.

"Don't measure just because it's convenient, which is a mistake we often make," said Khawaja. "Including me. I used to think measuring more metrics was better. And then I realized that was not really a smart way of thinking about it."

"Metrics are only useful when inserted into a process. Otherwise, they're like a stack of batteries – lots of potential, but exactly zero value."

Omar Khawaja, Highmark Health

Instead, for every measure, "it's super important to actually identify who it's for, and how they actually plan to use the data," he said. "Something like 70% of all reports, not a single person looks at them. You need to know who your audience is and then take care of them accordingly."

It's important, however, to identify appropriate metrics as soon as possible.

"Don't wait until later," said Khawaja. To say "I'm not really sure where I'm going and what to measure, but why don't I go start my journey, and then I'll figure out along the way where I'm going," he explained. "If you're going to want to go east, but end up driving west, now you just wasted a lot of time."

There are myriad potential trackable metrics, from intrusion attempts and unidentified devices, to patching cadence and third-party vendor bona fides. It's important too, of course, to keep tabs on KPIs such as mean time to detection and resolution of security incidents.

Khawaja uses the MECE metric – "mutually exclusive, collectively exhaustive" – to help ensure that all relevant metrics are compiled and communicated to the stakeholders who need to know them.

"It should be everything that they care about," he said. "And there should be no two measures that actually overlap with each other."

At the Cybersecurity Forum, Khwaja will also discuss how to improve data visualization and dashboard presentation – and how to translate that data into action.

"You can first start by just showing what the numbers are, then you can show some kind of trending – how are we doing compared to before, then you can compare against others.

"But then you've got to integrate it in your process," he added. "If you've got a lot of measurements, but you're not really doing anything with them, then it's not really valuable. Metrics are only useful when inserted into a process. Otherwise, they're like a stack of batteries – lots of potential, but exactly zero value."

When it comes to spurring meaningful changes from those metrics, Khawaja notes the value of using gamification. "People like gamification, which actually results in real outcomes."

Most importantly, when reporting metrics and KPIs, it's crucial to keep your audience and their objectives in mind.

"If I need to meet with the board of directors to convey to them exactly how concerned they should be about cyber risk, I can put a dashboard together that talks about that," he said.

"Or if I need to put some metrics together to share with the capital committee, why I need more budget, that's going to be a totally different set of KPIs. Or if I need to go to the infrastructure team and explain to them that they need to be patching more regularly, that would also be totally different."

Business leaders want to see metrics about business risk, he said. "But if anyone's in IT, or on the application team or a development engineer, I'm going to talk about that."

Omar Khawadja's virtual presentation, "Telehealth and Remote Patient Care: Overcoming Data Security Challenges," is scheduled for 3:40 p.m. ET on Tuesday, December 7, at the HIMSS Healthcare Cybersecurity Forum.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.