"All stakeholders have sight of their risk position..."

A multinational general insurance company sought our help in upgrading their security metrics framework. No matter where an organisation currently stands, there is always an opportunity to improve the way they measure performance.

​

Although the client already had a pre-existing framework, they wanted to ensure it represented industry best practice. i-confidential’s extensive Security Metrics Library is based on security controls aligned to industry standards (e.g. NIST/ISO).

​

In undertaking this piece of work, we would design and implement an upgraded security metrics framework for monthly cyber-risk measurement.

Our work began by assessing the security metrics currently in place. On review, some of the measures were only there because data was available for measurement – a problem we often see. Organisations measure what they can, rather than what they should. As an organisation’s metrics capability matures, this tends to improve. 

​

Other measures were removed as they were lower risk. This allowed teams to focus on the work required to gather high-value, key cyber-risk indicators.

​

Using i-confidential’s Metrics Library, we helped the client identify priority risk investment areas. Our metrics, along with conversations with Security, showed where dedicated resource could be used to improve processes. Whereas previously decision making had been a subjective activity, i-confidential’s framework provided an objective view to assist prioritisation activities.

​

The framework was designed so that risk could be quantified across different business areas whilst providing an overall organisational, central view. i-confidential was therefore able to meet multiple stakeholder requirements for understanding the risk position in their areas of responsibility.

The Approach