Thursday, December 12, 2019

The K in Cyber Security KPIs


The stakes involved in flying are higher than in cyber security. No one should disagree with that statement. 



With all of those high potential stakes, think about the airline key performance indicators (KPIs) that matter to you as a passenger when flying.
  
That your plane arrives at the destination.
That the plane arrives on time.
That emergency procedures are in place.
That your luggage arrives with your flight.


Each of the above is an easily digestible end state, a business outcome. Simple questions that mask the “white space” or complex activities that comprise each of those outcomes.

They are the culmination of perhaps hundreds of tasks and measures into the things that matter to you as a passenger. 


You aren’t reviewing maintenance records before each flight or looking at company-wide maintenance percentages. The mechanics and regulators do. Weights and balance? Only when they are an issue. Fuel and meals? Already done by the time that you’ve stepped on board.  So, while those are measured and rolled into KPIs for specific audiences, they aren’t presented to you, the passenger.


Would you be able to stitch together all of the data points in a view of the state of the airline if you did have access?  Likely not. 

Yet, we often ask the same of non-technical executives.


Your execs that are stakeholders to cyber security are far closer to passengers than mechanics. You may collect a series of detailed metrics and KPIs related to cyber but the execs might not be the right audience for all of them.  Like plane travel, they probably care more about understanding how to improve the 1% failures than bask in the 99% of the successes. 


So, what are the business outcomes for your cyber security program? 


You know, those same easily digestible ones that actually equate to meaningful measures for your stakeholders, the key ones.


The outcomes that quickly give a sense of the state of your program.

The ones that just make sense.


Like what you've read enough to follow me on Twitter? @Opinionatedsec1.


SEE ALSO



The Hard Part Of Automating Cyber Security

Kicking The Can Down The Road 

Blue Team Building In Cyber Programs
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)