KRIs have multiple purposes. The main purpose is to be an early warning system for potentially bad outcomes. The KRIs prompt initial investigation and response to deal with a potential InfoSec risk event. This process develops proactive risk management within InfoSec managers. At a higher level, cyber-based KRIs allow firms to “measure” risk and incorporate risk into risk-based performance measurement, risk-based decision making and risk-based incentive schemes.
The KRIs’ early warning system provides indications as risk develops/increases over time. As policy violations and procedures are not followed, red flags, symptoms and other evidence is given off. Automated KRIs retrieve data-based IT metrics and assemble them into intelligence to be investigated and acted upon to remediate the risk most appropriately.
There is no truer saying within InfoSec Risk Management than “prevention is the best cure”. KRIs, when designed properly, used properly, and communicated in a common language throughout your organization give your firm the capability to achieve superior results in preventing Cyber Security breaches.
MetricStream, a GRC Platform provider, stated in its 2019 insights article that: “Key Risk Indicators (KRIs) are critical predictors of unfavorable events that can adversely impact organizations. They monitor changes in the levels of risk exposure and contribute to the early warning signs that enable organizations to report risks, prevent crises and mitigate them in time.”
Safeguarding your organization from InfoSec Management Risks, necessitates periodic and regular reviews of these KRIs vis-à-vis their risk tolerance threshold. WPY Data works with your team to reach concurrence of the Acceptable Risk Thresholds. We suggest monthly reporting at a minimum. The reporting, in a common language format, provides timely reporting of key risks to senior management and throughout the IT team. The WPY Data approach is to report the results of KRIs in a graphical format with the underlying KRIs performance triggers clearly depicted.
For firms which have GRC platforms or network monitoring systems, WPY Data builds an API to access the available machine-based data and request electronic input of the any manual inputs. If your firm does not have an GRC platform, WPY Data has a manual upload capability of the data-based metric items.
One of the biggest benefits of leveraging technology to manage KRIs is that it does away with manual excel-based efforts, which can be time consuming and cumbersome. The WPY Data technology supports manual and automated data collection methods, enables risk thresholds, and reports advances and declines over time.
Thus, it is relatively easy to look at different InfoSec KRIs in the context of a firm’s InfoSec Risk Management. If the organization is already using an Enterprise Risk Management system (ERM), then it can combine the InfoSec KRIs effectively with other indicators in the dashboard.
Once these are established and measured against the defined thresholds in a numerical depiction, reporting and dashboards make it easy to see critical areas for analyses, thresholds, and a corrective action plan. At any time, ad hoc reports can be run. For example, in the case of a cyber breach sets of reports can be run to assist in forensic discovery. The ad hoc reports take minutes for machine-based data.
Automating KRIs provides access to critical InfoSec risks, provides a historical perspective, can track remediation activity, and assign workflow-based follow up. These are some of the options available to your firm when technology is harnessed.
]]>The headline below is heard from every industry and companies of all sizes.
“Companies desire an effective, integrated approach to Cyber Risk Management and Reporting.” (McKinsey & Company)
This sentiment is exacerbated by the lack of structure, lack of clarity and lack of consistent real-time data in the reporting of InfoSec metrics to develop the Key Risk Indicators (KRIs) reports.
Let’s talk about structure… Executives, management and board members are swamped with reports. The reports are often poorly structured, often containing inconsistent data and too much data to sort through. The Cyber Security reports are largely manually compiled and driven by spreadsheets to report cyber risk to executive management and boards. Unsurprisingly, many board members are dissatisfied with the reports they receive.
Moving to clarity… Board members find these reports off-putting. Consequently, they struggle to get a sense of the overall risk posture and status. A consistent refrain we hear is “please tell me the security information in an understandable language”.
And last is the lack of consistent data… Different groups within the organization often use different, potentially conflicting information, to describe or evaluate the same aspects of cyber risk management. Ideally all metrics used to present a firm’s cyber risk posture should be actual data pulled from a network monitoring tool and internal system reports.
This data, mostly quantitative but also qualitative in a structured data set, builds the foundation for a set of reports based upon the same metrics and displaying historical trends.
One solution to the issues above is to create your standard InfoSec Key Risk Indicators (KRIs) in advance. This will require consensus among the management and operating teams. You may choose either a standard set or customized set of KRIs for your firm.
KRIs should include Identification of your Risk Posture and your Risk Tolerance; define sources for the Risk Metrics (Data Input); and produce Understandable Reports. The reporting information is designed to satisfy concise reporting for your board and senior management, yet there are drill-downs available for much greater detail into each metric item to provide the operational teams the information they require for remediation efforts.
We, at WPY Data, can help you construct your set of KRIs or leverage our standard set of KRIs. Visit us at: wpydata.com/pages/contact-us !
]]>