Leading the way with KRIs
A Holistic approach to InfoSec Risk Management for Cyber Security incorporates knowledge of risk measurements in near real-time. Automating metric-based Key Risk Indicators (KRIs) is a brilliant way to accomplish this.
KRIs have multiple purposes. The main purpose is to be an early warning system for potentially bad outcomes. The KRIs prompt initial investigation and response to deal with a potential InfoSec risk event. This process develops proactive risk management within InfoSec managers. At a higher level, cyber-based KRIs allow firms to “measure” risk and incorporate risk into risk-based performance measurement, risk-based decision making and risk-based incentive schemes.
The KRIs’ early warning system provides indications as risk develops/decreases over time. As policy violations and procedures are not followed, red flags, symptoms and other evidence is given off. Automated KRIs retrieve data-based IT metrics and assemble them into intelligence to be investigated and acted upon to remediate the risk most appropriately.
There is no truer saying in InfoSec Risk Management than “prevention is the best cure”. KRIs, when designed properly, used properly, and communicated in a common language throughout your organization give your firm the capability to achieve superior results in preventing Cyber Security breaches.
MetricStream, a GRC Platform provider, stated in its Feb 2019 insights article that: “Key Risk Indicators (KRIs) are critical predictors of unfavorable events that can adversely impact organizations. They monitor changes in the levels of risk exposure and contribute to the early warning signs that enable organizations to report risks, prevent crises and mitigate them in time.”
Safeguarding your organization from InfoSec Management Risks, necessitates periodic and regular reviews of these KRIs vis-à-vis their threshold. WPY Data works with your team to reach concurrence of the Acceptable Risk Thresholds. We suggest monthly reporting at a minimum. The reporting, in a common language format, provides timely reporting of key risks to senior management and throughout the IT team. The WPY Data approach is to report the results of KRIs in a graphical format with the underlying KRIs performance triggers clearly depicted.
For firms which have GRC platforms, WPY Data builds an API to access the available machine-based data and request electronic input of the any manual inputs. If your firm does not have an GRC platform, WPY Data has a manual upload capability of the data-based metric items.
One of the biggest beneﬁts of leveraging technology to manage KRIs is that it does away with manual eﬀorts, which can be time consuming and cumbersome. The WPY Data technology supports manual and automated data collection methods, enables risk thresholds, and reports advances and declines over time.
Thus, it is relatively easy to look at diﬀerent InfoSec KRIs in the context of a firm’s InfoSec Risk Management. If the organization is already using an Enterprise Risk Management system (ERM), then it can combine the InfoSec KRIs eﬀectively with other indicators in the dashboard.
Once these are established and measured against the defined thresholds in a numerical depiction, reporting and dashboards make it easy to see critical areas for analyses, thresholds, and corrective action. At any time, ad hoc reports can be run. For example, in the case of a cyber breach sets of reports can be run to assist in forensic discovery. The ad hoc reports take minutes for machine-based data.
Automating KRIs provides access to critical InfoSec risks, provides a historical perspective, can track remediation activity, and assign workflow-based follow up. These are some of the options available to your firm when technology is harnessed.