In Chapter 5 we look at how to create a metrics program that will help you measure the performance of your entire organization and determine what to report to your management and your board of directors. Each of the authors has a bias toward objective measurements and sees that as key to fulfilling the role of the trusted authority on your organization’s risk posture. They collectively emphasize the value of using widely adopted security frameworks to create a comparable baseline from which to measure improvement and extoll the virtues of being disciplined in the performance of preventive and periodic controls.
Bill Bonney begins with a brief historical review by tying measurement to business objectives and briefly discusses the evolution from control coverage to measuring impact on service delivery. He provides several recommendations for frameworks you can use to establish your baseline. To conclude his section on measuring process effectiveness, he provides a helpful set of principles for deciding what metrics are reported and how to maximize the impact of the reports. Bill then pivots to a discussion on the CISO’s role in risk management and how to measure the effectiveness of this strategic function.
Matt Stamper points out that there is no shortage of things to measure and helps the reader understand how detrimental an unchecked onslaught of raw data can be. He skillfully guides the reader through an analysis of key categories of risk and the relevant measurements to capture and report. Some of the categories he covers include legal, financial, human resources, vendor management, software, data, and system hygiene.
Gary Hayslip focuses on how to effectively frame information for management and the board of directors to, in his words, “tell a story.” After outlining the criteria for developing the set of metrics the CISO will collect and share, including sample metrics and a formula for creating a good metric, Gary pivots to organizing the information for consumption and action. He brings all of this home for the reader by sharing lessons learned, including the types of reports and dashboards to share (and with whom), establishing relationships with the recipients of the dashboards, and putting the information into context before they even see the report.
Some of the questions the authors used to frame their thoughts for this chapter include:
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.