It can be incredibly difficult to incentivise and measure performance in cybersecurity teams. But if you want to retain your top talent, finding an appraisal method is crucial. At RankedRight, we believe that your cybersecurity team possesses the greatest insight into your business and can therefore make the smartest decisions regarding prioritisation of vulnerabilities. This is why we want to do all we can to keep them working hard for you. This article will provide some simple options for setting objectives to manage and reward performance.
Firstly, let’s look at the problem.
To best answer this, let’s compare it to the work of a sales team. They need to make as many sales as possible and the higher the value of the sale, the better. You can set financial targets for them to meet, compare employees’ figures at the end of a quarter and reward those who met the targets and came out top. Simple.
In vulnerability management, it doesn’t work to measure performance by number of vulnerabilities patched. This is because vulnerabilities can differ in a multitude of ways: how quickly it can be patched; if it’s an accepted risk or not; how readily available the solutions are for addressing it; how critical it is to the business; who has the skills to deal with it, etc.
As we mentioned in our ‘Ultimate Guide to Vulnerability Prioritisation’, if you measured by volume of vulnerabilities patched, a team could go for all the quick and easy ones (which you may find are the ones that are least likely to cause a material impact if exploited) and that wouldn’t necessarily mean the business was any better protected from attack.
In vulnerability management, good performance comes down to tackling the vulnerabilities that are both most likely to affect your business and will have the biggest impact. In other words, delivering the best protection for your business. So how do you measure this?
Surely no sign of a breach for a long period of time proves your company is protected, right? Wrong. According to research from IBM, the average time to identify a breach in 2020 was 228 days so you may be under attack right now and not know it yet. Additionally, there is no guarantee that a vulnerability that causes a breach actually has been identified by your scanner, so your team wouldn’t be aware there was an issue to address.
Before we go into the measures, we recommend ensuring you give your team all of the tools and support they need to perform at their best. This means access to:
If you have all of these in place, then your team is equipped to give their all and they deserve a fit-for-purpose appraisal method in return.
Split an employee’s performance into three measures (below) and let them prove their efforts on each as follows:
To empower your team and make use of their extensive knowledge and understanding of where the greatest risks are, involve them in creating a system to measure performance. Run an exercise whereby you and the team collaborate to set scores for patching different vulnerabilities, as well as demonstrating good decision making (i.e. whether to accept, patch or remediate a particular vulnerability). For example, the most critical (as determined by your triage activity) would get a higher score, as would those that are more difficult or take longer to address.
You’d keep track of the points as they were awarded and factor in the seniority and experience of individuals when appraising the scores.
As with the first measure, you’d give the individual plenty of opportunity to record comments on their activity, perhaps where they felt the scoring didn’t reflect the effort put in on a particular activity.
Set your team’s objectives by aligning them to the business’ SLAs. These would look at factors such as:
If starting from scratch, decide on a number of KPIs to monitor with an expectation set ahead of time that there will be constant improvement, if no improvement is identified, then this is a performance issue that needs to be addressed.
These are just some of our recommendations for creating motivated and hard-working teams but if your business uses another model which you think works well, we’d really like to hear about it. If we add it here, we’ll keep you and your company anonymous if required. Please get in touch.