How CISOs can create security KPIs and KRIs

The Information Security Forum recommends that CISOs take a four-step approach to creating KPIs and KRIs.

If your information security functions like most, it develops copious amounts of data about the business's security that it delivers on a regular basis. And typically it never gets read.

"There's a lack of collaboration between the two parties," says Steve Durbin, managing director of the Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues. "What is the common language that we should be speaking? How could we, from a security standpoint, be focused on the right things from a business perspective?"

Recent research by the ISF has found that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs). Durbin attributes this to the fact that most CISOs have little or no interaction with the audiences to whom they report. As a result, they are guessing at what their audiences need and miss the mark when attempting to provide ongoing management reporting on topics like information security effectiveness, organizational risk and information security arrangements.

[ Related: 4 CISO wish list items for 2015 ]

"If I don't know what you're doing, how can I help you? I'm going to make some assumptions about what you're doing and I could be completely wrong," Durbin says. "Security guys are always talking about cost. If we realign this, the security guys can now go to the business and say, 'look, if this is what is important to you, this is the role I can play in helping you protect that, but I don't have the funding for a variety of reasons.' The business can then make the call as to whether to find the funding for that problem. It's no longer the security guy's problem, it's the business's problem."

4 steps to KPIs and KRIs

To help security departments find that common focus with the business, the ISF has developed a four-phase, practical approach to developing KPIs and KRIs. Durbin says this approach will help the information security function respond proactively to the needs of the business. The key, he says, is to have the right conversations with the right people.

[ Related: Textron's CISO on risks, tech talent and more ]

The ISF's approach was designed to be applied at all levels of an organization and consists of four phases:

1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs

2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations

3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps

4. Learn and improve by engaging to develop learning and improvement plans

At the heart of the ISF's approach is the idea of engagement. Engagement builds relationships and improves understanding, allowing the CISO and the security function as a whole to better respond to the needs of the business. As an added bonus, it tends to open doors, allowing the CISO to have influence beyond just reporting.

Engagement begins with the right data

Engagement starts with establishing relevance. In the ISF's approach, that means getting the right data, calibrated and supported by the right structures for the right audiences. That data must then be used consistently across the organization. Establishing relevance takes six steps, according to the ISF:

1. Understand the business context

2. Identify audiences and collaborators

3. Determine common interests

4. Identify the key information security priorities

5. Design KPI/KRI combinations

6. Test and confirm KPI/KRI combinations

[Related: Sony and Chase: Don't blame the CISO ]

Once you have the data, you need to generate insight from it. The ISF says reliable insights come from understanding KPIs and KRI. Generating insights involves the following three steps:

1. Gathering data

2. Producing and calibrating KPI/KRI combinations

3. Interpreting KPI/KRI combinations to develop insights

With the insights in hand, it's time to create impact, ensuring that information is reported and presented in a way that is accepted and understood by all involved. This leads to decision and action, as follows:

1. Agree to conclusions, proposals and recommendations

2. Produce reports and presentations

3. Prepare to present and distribute reports

4. Present and agree on next steps

The final step is to develop learning and improvement plans based on everything learned from the previous steps. This, according to the ISF's approach, will lead to informed decisions based on an accurate view of performance and risk, giving organizations assurance that the CISO and information security function are responding proactively to priorities and other needs of the business.

"Now that cybersecurity has the attention of the board, and information risk is on the agenda, CISOs are being asked increasingly tough questions about security investment and risk," Durbin says. "It has never been more important for CISOs to be ready to answer these questions and articulate how the information security function is contributing to strategic priorities while helping to balance information risk."

Follow Thor on Google+

Join the CSO newsletter!

Error: Please check your email address.

Tags forumsecurity

More about GoogleSonyTextron

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place