Climbing ‘Metrics Mountain’
Our approach starts with a capability assessment to understand your starting position and desired goals.
​
We then provide a roadmap to meet your requirements. Your organisation will already be taking steps you can build on.
As you achieve a more mature position, your view of the security landscape will improve dramatically!
Capability Assessment
Security Measurement Roadmap
Stakeholder buy in
Drive investment funding
Starting Out
Embedding cyber metrics
- Key metrics
- Metric RAGs
- Metrics dashboard
- Operating model
Growing Up
Business-aware metrics & compelling dashboards
- Enhanced metrics
- Asset alignment
- Metric aggregation
- Performance culture
Maturity
All controls have metrics with automated dashboards for every audience
- Automated metrics collection
- Automated dashboards
- Asset inventory improvement
- Incident-based metrics
Improved Asset Management
For an in-depth understanding of how we help clients at every stage of their security metrics journey, be sure to read Climbing Metrics Mountain with i-confidential.
Security Metrics
Capability Model
Understanding metrics challenges is hard work. Addressing them is harder still. And there is often more than one right answer to contend with.
Our approach aligns to industry best practice and offers independent support backed by extensive knowledge and experience.
​
​
Metrics Library
​
Our metrics library contains over 250 cyber measures which align to industry best practice, including ISO and NIST. Each measure has a proven, jargon-free definition that provides clarity on what it actually means.
We will work with you to align our ‘out of the box measures’ to both your controls and your organisation's language, giving you an immediate uplift in capability.
We use this library to identify gaps in your current control metrics, as well as help you improve the definition and clarity of any existing metrics.
Building Good Security Metrics
​
Covering all dimensions of a control that contribute to ineffectiveness and risk.
Example Metrics
Penetration Testing Control
4. Event Root Cause – security events attributable to a control weakness. *Requires advanced maturity.
3. Remediation – the performance of activity to fix security issues.
2. Results – indicates the output of the control in terms of security issues.
1. Coverage – the percentage of assets a control is being applied to.
% of applications penetration tested in the last year.
% of applications with open, high-risk, penetration test results.
% of open, high-risk, penetration test results outside remediation.