If your information security functions like most, it develops copious amounts of data about the business's security that it delivers on a regular basis. And typically it never gets read.
"There's a lack of collaboration between the two parties," says Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues. "What is the common language that we should be speaking? How could we, from a security standpoint, be focused on the right things from a business perspective?"
Recent research by the ISF has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). Durbin attributes this to the fact that most CISOs have little or no interaction with the audiences to whom they report. As a result, they are guessing at what their audiences need and miss the mark when attempting to provide ongoing management reporting on topics like information security effectiveness, organizational risk and information security arrangements.
"If I don't know what you're doing, how can I help you? I'm going to make some assumptions about what you're doing and I could be completely wrong," Durbin says. "Security guys are always talking about cost. If we realign this, the security guys can now go to the business and say, 'look, if this is what is important to you, this is the role I can play in helping you protect that, but I don't have the funding for a variety of reasons.' The business can then make the call as to whether to find the funding for that problem. It's no longer the security guy's problem, it's the business's problem."
4 steps to KPIs and KRIs
To help security departments find that common focus with the business, the ISF has developed a four-phase, practical approach to developing KPIs and KRIs. Durbin says this approach will help the information security function respond proactively to the needs of the business. The key, he says, is to have the right conversations with the right people.
The ISF's approach was designed to be applied at all levels of an organization and consists of four phases:
1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs
2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
4. Learn and improve by engaging to develop learning and improvement plans
At the heart of the ISF's approach is the idea of engagement. Engagement builds relationships and improves understanding, allowing the CISO and the security function as a whole to better respond to the needs of the business. As an added bonus, it tends to open doors, allowing the CISO to have influence beyond just reporting.
Sign up for CIO Asia eNewsletters.