One Cybersecurity Metric To Dwell On

Having a robust set of indicators is important to assessing an agency’s cybersecurity, but how long hackers have access to a network may be the most important, one federal IT official said.

In cybersecurity, the metric known as dwell time is the measure of how long it takes an organization to identify a breach from the time an adversary gains access. In 2017, the global average time to detection was 191 days, according to a study by the Ponemon Institute and IBM, down from 201 days in 2016.

For Rod Turk, Commerce Department acting chief information officer and former department chief information security officer, this metric can inform all the others.

“If you’re doing your work and you’re preventing things from getting into your organization, then guess what, your dwell time is near zero or at zero,” Turk said during a panel on cybersecurity Tuesday at the 2018 CFO/CIO Summit hosted by the Association of Government Accountants and the Association for Federal Information Resources Management.

Dwell time is not a specific metric in the Cybersecurity Framework, the basis for agencies’ annual reports under the Federal Information Security Management Act. However, the ability to detect breaches and anomalies on a system is one of the five core functions measured by the framework.

Turk suggested officials should actively measure dwell time and use it as a bellwether for the agency’s cybersecurity posture.

“It’s an interesting measure,” he said, “A kind of overall measure that speaks to everything you’re doing in cybersecurity.”