Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to measure cybersecurity effectiveness — before it’s too late

Thor Olavsrud | Sept. 5, 2017
The majority of organizations don't apply metrics to their cybersecurity efforts, and those that do often measure the wrong things. Here’s how to ensure your cybersecurity projects pay off.

While CISOs have to do much of the heavy lifting when it comes to cybersecurity, CIOs also have an important role to play, starting with providing the security function with the data it will need.

"The CIO's core responsibility is to make sure the organization has the information they need to make the right decisions," Carson says. "They need to identify what are the core, high-level assets of the organization, classify them. Then work with the CISO to protect them."


4 steps to KPIs and KRIs

To help security departments align with the business, the ISF has developed a four-phase, practical approach to developing KPIs and KRIs. Durbin says this approach will help the information security function respond proactively to the needs of the business. The key, he says, is to have the right conversations with the right people.

The ISF's approach was designed to be applied at all levels of an organization and consists of four phases:

  1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs
  2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
  3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
  4. Learn and improve by engaging to develop learning and improvement plans

At the heart of the ISF's approach is the idea of engagement. Engagement builds relationships and improves understanding, allowing the security function to better respond to the needs of the business.


Engagement begins with the right data

Engagement starts with establishing relevance. In the ISF's approach, that means getting the right data, calibrated and supported by the right structures for the right audiences. That data must then be used consistently across the organization. Establishing relevance takes six steps, according to the ISF:

  1. Understand the business context
  2. Identify audiences and collaborators
  3. Determine common interests
  4. Identify the key information security priorities
  5. Design KPI/KRI combinations
  6. Test and confirm KPI/KRI combinations

Once you have the data, you need to generate insight from it. The ISF says reliable insights come from understanding KPIs and KRI. Generating insights involves the following three steps:

  1. Gathering data
  2. Producing and calibrating KPI/KRI combinations
  3. Interpreting KPI/KRI combinations to develop insights

With the insights in hand, it's time to create impact, ensuring that information is reported and presented in a way that is accepted and understood by all involved. This leads to decision and action, as follows:

  1. Agree to conclusions, proposals and recommendations
  2. Produce reports and presentations
  3. Prepare to present and distribute reports
  4. Present and agree on next steps

The final step is to develop learning and improvement plans based on everything learned from the previous steps. This, according to the ISF's approach, will lead to informed decisions based on an accurate view of performance and risk, giving organizations assurance that the information security function is responding proactively to priorities and other needs of the business.

"You need to develop a continuous evolution mindset," Carson says. "It's a culture, an awareness project. It's always ongoing."



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.