Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
I think it’s important to measure the human component as well as the technical details. Measuring service uptime, infected devices, incidents/attacks, and Patching/AV status is necessary but not the full picture. I perform phishing tests and nighttime desktop audits to verify people are doing the right things (plus it makes them very aware). I trend audit findings/recommendations to not only fix issues but get to the root cause of an issue that was fixed the year before. Often the root cause for these issues is people and sometimes that people is me. If you have regular third-party audits from customers, regulators, and certification bodies and if some of those auditors are in the financial, healthcare, government or telecom industries you will have enough data to tell you where to focus your efforts. CIO in Finance (non-banking), 51 - 200 employees
Nist tier rank (capability)Training scores (people)
Simulated Phishing scores (people)
External risk assessment and penetration testing results tied to NIST (snapshots)
Incident response readiness (more qualitative)
Recovery time objectives and recovery point objective (measured in hours and minutes)
Third party risk scores (nist based)
CIO in Finance (non-banking), 51 - 200 employees
Also trend lines on vulnerabilities, incidents, suspicious activitiesCIO in Finance (non-banking), 51 - 200 employees
Vulnerabilities per line of code written. In the development teamCo-Founder and Director in Software, 2 - 10 employees
The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.CASH Europe IT Director in Transportation, 51 - 200 employees
KPI of security depends on the business line. In my eyes I would look at : Compliance results ( mainly certificate audits)
Penetration results
Use of security tools to make users "life" easier
Employee education program
Content you might like
Strongly agree5%
Agree57%
Neutral15%
Disagree19%
Strongly disagree3%
284 PARTICIPANTS
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Director of IT in Healthcare and Biotech, 501 - 1,000 employees
Overall fit of the provider's services is key in any recommendation when selecting one of the big 3 clouds for any organization. Multi-cloud is significantly more difficult than most companies realize, and selecting a ...read moreStrongly Agree8%
Agree68%
Neither Agree nor Disagree12%
Disagree9%
Strongly Disagree1%
548 PARTICIPANTS
So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We've been pretty successful with that.