Climbing ‘Metrics Mountain’
Our approach starts with a capability assessment to understand your starting position and desired goals.
We then provide a roadmap to meet your requirements. Your organisation will already be taking steps you can build on.
As you achieve a more mature position, your view of the security landscape will improve dramatically!
Capability Assessment
Security Measurement Roadmap
Stakeholder buy in
Drive investment funding
Starting Out
Embedding cyber metrics
- Key metrics
- Metric RAGs
- Metrics dashboard
- Operating model
Growing Up
Business-aware metrics & compelling dashboards
- Enhanced metrics
- Asset alignment
- Metric aggregation
- Performance culture
Maturity
All controls have metrics with automated dashboards for every audience
- Automated metrics collection
- Automated dashboards
- Asset inventory improvement
- Incident-based metrics
Improved Asset Management
For an in-depth understanding of how we help clients at every stage of their security metrics journey, be sure to read Climbing Metrics Mountain with i-confidential.
Security Metrics
Capability Model
Understanding metrics challenges is hard work. Addressing them is harder still. And there is often more than one right answer to contend with.
Our approach aligns to industry best practice and offers independent support backed by extensive knowledge and experience.
Foundations
Policy – rigorous requirements ensure new metrics provide the measurement information that is needed right from the start.
Governance – a core business discipline. Without effective governance, a lack of buy-in and agreement to metrics from stakeholders will limit their success.
Roles and Responsibilities – these need to be well defined for all aspects of the metrics operating model, from metrics definition and collection, through to dashboarding. One of the most important responsibilities to define is ownership for ‘route to green’ remediation actions.
Metrics Library
Our metrics library contains over 250 cyber measures which align to industry best practice, including ISO and NIST. Each measure has a proven, jargon-free definition that provides clarity on what it actually means.
We will work with you to align our ‘out of the box measures’ to both your controls and your organisation's language, giving you an immediate uplift in capability.
We use this library to identify gaps in your current control metrics, as well as help you improve the definition and clarity of any existing metrics.
Building Good Security Metrics
Covering all dimensions of a control that contribute to ineffectiveness and risk.
Example Metrics
Penetration Testing Control
4. Event Root Cause – security events attributable to a control weakness. *Requires advanced maturity.
3. Remediation – the performance of activity to fix security issues.
2. Results – indicates the output of the control in terms of security issues.
1. Coverage – the percentage of assets a control is being applied to.
% of applications penetration tested in the last year.
% of applications with open, high-risk, penetration test results.
% of open, high-risk, penetration test results outside remediation.
