Delivering Metrics
Sample Engagements
Capability Assessment
4 - 6 week engagement identifies the following requirements:
Starting Out
New Metrics
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Initial agreement of metrics with stakeholders
Step 2:
Stakeholder
review Incl.
data providers
Step 3:
Data collated for new metrics
Step 4:
Review of metrics results with business
Growing Up
Dashboard
Enhancements
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Stakeholder requirements workshops
Step 2:
Enhanced dashboards agreed
Step 3:
Dashboard technology updated
Step 4:
Rollout to business stakeholders
Maturity
Asset Management
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Asset data providers workshops
Step 2:
Data provided and integration to technology
Step 3:
Visualisations updated with the new data
Step 4:
Asset improvements identified
Different starting points, same direction of travel
What Success Looks Like: Critical Factors
Success looks like risks moving within tolerance and to appropriate timelines. To make that happen effectively:
All measureable controls have metrics.
The metrics include the different control dimensions.
People understand the metric specifications.
Pragmatic risk tolerances are agreed.
Dashboards support the needs of each stakeholder.
Success Outcomes
Control weaknesses and priority are visible to stakeholders
Remediation owners know specific assets to be addressed
An overall reduction in security risk
What Success Feels Like: Security Risk Reduction
This is a typical maturity journey post implementation:
Day 0
Business awareness of activity increases.
Metric changes status to amber or red.
Business views metric results.
