What information security KPIs are you tracking? Are they tied specifically to your organization’s business goals? If not, consider that using predictive business performance metrics could help increase your organization’s profitability—by as much as 20% over three years, according to one Gartner study.
To help you develop more relevant security performance indicators, here are some suggestions from the experts:
Make them meaningful to executives
Start by considering what matters most to executives:
- Meeting organizational goals
- Maintaining efficient, uninterrupted operational processes
- Fostering a positive public image
- Complying with regulations and contractual obligations
- Managing risks
Don’t focus on cost metrics
“Security guys are always talking about cost,” said Steve Durbin, managing director of the Information Security Forum (ISF), in a CIO magazine interview. “If we realign this, the security guys can now go to the business and say, ‘Look, if this is what is important to you, this is the role I can play in helping you protect that, but I don’t have the funding for a variety of reasons.’ The business can then make the call as to whether to find the funding for that problem. It’s no longer the security guy’s problem, it’s the business’s problem.”
Use leading vs. lagging metrics
A lagging indicator measures actual results, our outputs, so it’s too late to make corrections or improvements. A leading indicator looks at activities necessary to achieve your goals, so they’re essentially inputs that provide information needed to intervene and change course for the better. For example, the number of viruses reported after a new software implementation is a lagging indicator, whereas the number of virus updates implemented prior to implementation shows action taken to drive launch success and improve user productivity.
Evaluate the effectiveness of your proposed metrics
Thankfully, there’s a tool for that. The ASIS Foundation sponsored a major security metrics research project, and one of the outcomes was a Security Metrics Evaluation Tool that security managers can use to assess the quality of specific security metrics. The written tool helps you analyze the effectiveness of a metric against nine criteria, including its relevance to the organization’s strategic mission, how easily it can be communicated and its reliability. The tool is in the Appendix of the research report, “Persuading Senior Management with Effected, Evaluated Security Metrics.”
Download The Guide to Modern Endpoint Backup and Data Visibility to learn more about selecting a modern endpoint backup solution in a dangerous world.
Susan Richardson, Manager/Content Strategy, Code42
[Cloud Security Alliance Blog]