Properly Structured InfoSec KRIs Improve Communications



The headline below is heard from every industry and companies of all sizes.

“Companies desire an effective, integrated approach to Cyber Risk Management and Reporting.” (McKinsey & Company)

This sentiment is exacerbated by the lack of structure, lack of clarity and lack of consistent real-time data in the reporting of InfoSec metrics to develop the Key Risk Indicators (KRIs) reports.

Let’s talk about structure… Executives, management and board members are swamped with reports. The reports are often poorly structured, often containing inconsistent data and too much data to sort through. The Cyber Security reports are largely manually compiled and driven by spreadsheets to report cyber risk to executive management and boards. Unsurprisingly, many board members are dissatisfied with the reports they receive.

Moving to clarity… Board members find these reports off-putting. Consequently, they struggle to get a sense of the overall risk posture and status. A consistent refrain we hear is “please tell me the security information in an understandable language”.

And last is the lack of consistent data… Different groups within the organization often use different, potentially conflicting information, to describe or evaluate the same aspects of cyber risk management. Ideally all metrics used to present a firm’s cyber risk posture should be actual data pulled from a network monitoring tool and internal system reports.

This data, mostly quantitative but also qualitative in a structured data set, builds the foundation for a set of reports based upon the same metrics and displaying historical trends.

One solution to the issues above is to create your standard InfoSec Key Risk Indicators (KRIs) in advance. This will require consensus among the management and operating teams. You may choose either a standard set or customized set of KRIs for your firm.

KRIs should include Identification of your Risk Posture and your Risk Tolerance; define sources for the Risk Metrics (Data Input); and produce Understandable Reports. The reporting information is designed to satisfy concise reporting for your board and senior management, yet there are drill-downs available for much greater detail into each metric item to provide the operational teams the information they require for remediation efforts.

We, at WPY Data, can help you construct your set of KRIs or leverage our standard set of KRIs. Visit us at: wpydata.com/pages/contact-us !

Leave a comment

Please note, comments must be approved before they are published