1.0 - Introduction
Business owners, leaders, and senior managers are busy. They are dealing with a lot of competing priorities, their time is valuable (a scarce resource in fact!) and more often than not, are under the impression that you already have their security covered.
It is the MSPs job to help their clients understand their cybersecurity quickly and at a level that facilitates quick, data-driven decisions.
In practical terms, this means being:
measurable
sufficiently detailed to enable decisions
high-level enough to ensure understanding
aligned with industry best practices
tailored to the their own organisations risks and opportunities
Thankfully, it's not as difficult as it sounds. Many a professional has trodden this path before in different industries and have proven that time and time again, Key Performance Indicators (KPIs) are the best way to achieve these goals.
HighGround uses 3 KPIs to communicate an organisations cybersecurity posture to their customers.
CyberScore – An organisations overall security posture, ranging from 0 to 100.
CyberResilience – A measure of an organization's ability to govern, respond, recover, and improve its cybersecurity stance, ranging from 0 to 100.
NIST CSF 2.0 Alignment – A visual, multi-dimensional representation of an organisations security posture aligned to the NIST Cybersecurity Framework 2.0, crating a unique 'security shape'.
By simplifying complex cybersecurity data into easy-to-understand KPIs, HighGround empowers MSP owners, account managers, engineers to discuss their clients security posture with confidence, safe in the knowledge that business owners, leaders and senior managers in their clients will understand, engage in conversations and feel empowered to invest in security improvements they actually understand.
This article breaks down each of the 3 KPIs into more detail.
Tip: You can now use AI to help you provide answers for any technologies you do not have. To learn more about AI read our Using AI in HighGround article.
2.0 - CyberScore: Your Overall Security Posture
2.1 - What is the CyberScore KPI?
The CyberScore KPI provides a high-level rating of an organization's cybersecurity posture, expressed as a score from 0 to 100.
This score helps organizations understand their current risk level and provides a simple benchmark for comparison over time.
Think of the CyberScore like a credit score for cybersecurity. Just as a credit score reflects financial reliability, CyberScore reflects how well an organization has implemented security controls to protect itself from cyber threats.
2.2 - How is the CyberScore KPI Calculated?
An organizations CyberScore is driven by the security technologies and practices an organisation has implemented to protect, detect, respond to and recover from a cyber-attack. Each technology and practice has their own unique weighting that reflects their overall effectiveness in protecting an organisation from cyber-attack.
Technology: something you have a tool for, for example Endpoint Protection.
Practice: sometime you setup, configure and monitor, for example SPF and DKIM, or something you do regularly, for example Penetration Testing.
Almost all of these technologies and practices are included in the NIST Cybersecurity Framework 2.0 and thus represent international best practices. There are a handful of exceptions which are not included in the framework, but which are widely considered best practice and thus have been added to the CyberScore scoring algorithm.
To drive an organizations CyberScore KPI, you must attest to each of the questions on the list, after which the CyberScore will dynamically score.
2.3 - How to Attest the CyberScore KPI
You can attest an organizations CyberScore by clicking on the CyberScore KPI anywhere in the UI, and attesting to each of the 16 sections and 11 subsections.
When attesting a clients CyberScore, there 2 different types of questions:
Attesting technologies: you can define the tool that the client uses in your MSPs security stack, or a tool purchased directly by the client., for example 'Sentinel One' as a tool for the 'Endpoint Protection' technology.
Attesting practices: you can define whether a practice is followed / implemented, for example setting up SPF, DKIM and DMARC, or performing annual Penetration Testing.
There are 3 different methods for attesting a clients CyberScore, which you can mix and match together to quickly and accurately map your clients CyberScore:
Method 1 - Manually
Click on each row in the CyberScore attestation modal and select a tool from your MSPs security stack, one of the tools from the general tools list provided by HighGround, or manually creating a tool. For practices, simply add the practices that are implemented.
Method 2 - Applying a security package
The CyberScore can also be driven by applying one of your MSPs security packages to a client. If a security package has been applied to a client, attestation will be locked as it is inherited directly from the security package.
Method 3 - Security Tool Suggestions
If you are unsure of what security tools a client has and you have integrated your PSA or finance tool to HighGround, click the blue 'Review' button for security tool suggestions.
3.0 - Cyber Resilience
3.1 - What is the Cyber Resilience KPI?
CyberResilience measures an organization’s ability to govern cybersecurity risks, respond to threats, recover from incidents, and learn from cyber-attacks to ensure continual improvement.
While the CyberScore KPI indicated an organizations overall security posture at a given moment, the Cyber Resilience KPI indicates how resilient an organization will be in the event of a cyber-attack.
Just as a healthy immune system fights off infections and builds resistance to future illnesses, a strong Cyber Resilience score means an organization can identify risks ad well as detect, respond to and recover from cyber-attacks without with minimal impact on business operations.
3.2 - How is the Cyber Resilience KPI Calculated?
An organizations Cyber Resilience KPI is ultimately a reflection of their ability to manage and govern their cyber risk, which is driven by the security practices they implement and how frequently these are reviewed and testing.
To maintain good Cyber Resilience, and thus a strong Cyber Resilience KPI, organizations must ensure they:
anticipate and plan for cyber-attacks to minimize business disruption
identify and manage the protection of data in their organisation
understand their legal and contractual security obligations pertaining to operational security, data privacy and reporting.
diligently implement, review and test their ability to identify and manage risks
build and implement a technology strategy that is aligned to organizational risks and opportunities
plan, build and test robust incident response and disaster recovery capabilities
govern their risk at board-level within the organisation
limit their legal and financial liabilities, for example through cyber insurance
Each security practice has their own unique weighting that reflects their overall effectiveness in ensuring cyber resilience.
Almost all of these security practices are included in the NIST Cybersecurity Framework 2.0 and thus represent international best practices. There are a handful of exceptions which are not included in the framework, but which are widely considered best practice and thus have been added to the Cyber Resilience KPI scoring algorithm.
3.3 - How to Attest CyberResilience
You can attest an organizations Cyber Resilience by either:
clicking on the Cyber Resilience KPI anywhere in the UI, and attesting to each of the 11 sections
actively managing these activities in the Governance & Resilience module, for example uploading policies, procedures and performing reviews
When attesting a clients Cyber Resilience KPI, you attest to security practice. A security practice (in the context of Cyber Resilience) is:
Practice: sometime you do implement and review regularly, for example Incident Response Plan Reviews, IT Disaster Recovery Tests or Annual Security Presentations with the Board.
There are 2 different methods for attesting a clients Cyber Resilience KPI, which you can mix and match together to quickly and accurately map your clients Cyber Resilience:
Method 1 - Manually
Click on each row in the Cyber Resilience attestation modal and attest to the various questions:
Note: for the Backup & Disaster Recovery, there are a handful of questions about backup tools.
Method 2 - Manage through the Governance & Resilience module
HighGround has a Governance & Resilience module which enables MSPs and their clients to co-manage their cyber resilience activities. Some of the activities you can perform in this module include:
Upload Incident Response & IT Disaster Recovery plans and procedures
Upload Information Security Policies
Perform Incident Response Reviews & IT Disaster Recovery Tests
Perform Risk Assessments and Board Reviews
Map out Security Framework and Data Privacy Framework compliance requirements
Upload and map out Cyber Insurance Policies
Any activity performed in the Governance & Resilience module will be combined with any attestations to create the Cyber Resilience KPI. Any actual data inputted will override any attestations performed on the Cyber Resilience KPI.
Note: The Cyber Resilience KPI is not dynamically updated by applying a security package to a client. In order to achieve the security benefits of the security, you must perform these actions in the Governance & Resilience module and/or attest them in the Cyber Resilience KPI. Due to the requirement for regular reviews, this is an ongoing task and thus the scoring mechanism in HighGround reflects this.
4.0 - NIST CSF 2.0 Alignment (aka Cyber Radar Chart)
4.1 - What is NIST CSF 2.0 Alignment?
The NIST Cybersecurity Framework (CSF) 2.0 is an industry-standard security model comprising six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
HighGround's NIST CSF 2.0 Alignment KPI visually represents how an organization performs across five of these functions using a radar chart (excluding Govern, for which we use the Cyber Resilience KPI).
Hence we often refer to this as the 'Cyber Radar Chart' !
Imagine a fitness tracker that measures different aspects of health, such as heart rate, steps taken, and sleep quality. Similarly, the Cyber Radar Chart shows an organizations cybersecurity maturity against each of the key areas of the framework.
The further an organization extends outward on the chart, the more mature they are in that area.
When using the Cyber Radar Chart with clients, you can refer to their 'security shape' due to the distinctive shape an organization security shape will generate on the Radar Chart.
4.2 - How is the NIST CSF 2.0 Alignment Calculated?
The KPI assesses cybersecurity maturity across five core functions:
Identify – Understanding assets, risks, and vulnerabilities.
Protect – Implementing security controls to defend against threats.
Detect – Monitoring systems for anomalies and potential breaches.
Respond – Taking action against cybersecurity incidents.
Recover – Ensuring business continuity and restoring services after an attack.
Each function is scored based on attestation responses to the CyberScore and Cyber Resilience KPIs in HighGround, and the results are plotted on a radar chart to provide a clear visual representation.
4.3 - How to Attest NIST CSF 2.0 Alignment
The NIST CSF 2.0 radar chart cannot be attested to manually - it is inferred from the attestations made on the CyberScore and Cyber Resilience KPIs or by security packages applied to the client.
5.0 - Conclusion
HighGround’s Cyber KPIs provide a clear, actionable, and data-driven approach to cybersecurity assessment for MSPs and their clients.
By attesting and monitoring their CyberScore, CyberResilience, and NIST CSF 2.0 Alignment, organizations can:
Identify weak points in their security posture.
Improve their ability to respond to and recover from threats.
Align with industry best practices for cybersecurity governance.
By regularly attesting to security controls within HighGround, organizations can maintain an accurate, up-to-date view of their cybersecurity status and make informed decisions to enhance their resilience against evolving threats.