Security Metrics That Deliver Data to Support Key Decisions
“By generating distinct stakeholder dashboards... we removed confusion
and inconsistency.”
A global banking client engaged i-confidential to help transform its existing approach to security metrics management. The organisation produced multiple dashboards, targeting distinct management audiences. The output was both unclear and inconsistent, with various datasets and collection mechanisms. This led to misunderstandings and credibility issues, and impacted security decision-making.
i-confidential reviewed the client’s existing metrics against the 250 that make up our best-practice Security Metrics library. From this, we identified a priority set of initial metrics which were the most pragmatic. We based this on the importance of the measure and the feasibility of collection in the short term. This approach delivered rapid improvements for the client, as well as clarity on future metrics direction.
Using our coverage metrics, we resolved the challenge of incomplete control rollouts during cyber transformation. We provided control owners with phased coverage metrics that could also be used by the transformation team to measure success. This delivered the benefit of maintaining control owner accountability for coverage, though at a lower required coverage threshold. At the same time, it was possible to set clear success criteria for the cyber transformation team, including higher threshold targets and 'required by' dates.
We configured Security Metrics to present measures aligned to the client’s business function and control owner names. We reviewed the client’s data capture methods and automated these within our dashboard tool. This presented a unified set of reports, and various target audience dashboards were fed data from the same original source.
The Approach
The Problem
The Outcome
i-confidential’s Security Metrics library enabled the client to implement clear, effective metrics. In addition, it aided the requirements prioritisation process for further improvements. The new dashboard standardised the capture of metrics across the global security teams in scope and removed much of the manual overhead of monthly reporting. It had the added benefit of enabling reporting by geography as well as by business unit.
By generating distinct stakeholder dashboards based on the same monthly metrics results data, we removed confusion and inconsistency. Overall, this enhanced security reporting credibility and supported key decision making.
We received positive feedback from control owners, as well as the Head of Security Metrics Reporting, who was able to redeploy several people previously involved in dashboard maintenance and delivery.