Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?

Security & GRC KPIs, Metrics & Reporting

14k views3 Upvotes7 Comments

Sort by:

CASH Europe IT Director in Transportation6 years ago

KPI of security depends on the business line. In my eyes I would look at :
Compliance results ( mainly certificate audits)
Penetration results
Use of security tools to make users "life" easier
Employee education program

Associate Director in Software6 years ago

The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.

CIO in Finance (non-banking)6 years ago

Vulnerabilities per line of code written. In the development team

CIO in Finance (non-banking)6 years ago

Also trend lines on vulnerabilities, incidents, suspicious activities

CIO in Finance (non-banking)6 years ago

Nist tier rank (capability)
Training scores (people)
Simulated Phishing scores (people)
External risk assessment and penetration testing results tied to NIST (snapshots)
Incident response readiness (more qualitative)
Recovery time objectives and recovery point objective (measured in hours and minutes)
Third party risk scores (nist based)

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models. Scope includes Environment Setup: Cloud provisioning, configuration, testing. Connectors/Parsers: Custom data source integration. Content Development: Rules, use cases, threat feeds. Performance Tuning: Query/index optimization. Runbooks: Operational procedures. Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation. Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.

If you use an air-gapped backup solution, would you say there are drawbacks?

Slow recovery response times35%

Data availability is limited52%

Too expensive to scale effectively51%

Difficult to manage for widespread use34%

Prone to misconfiguration14%

No - There are no drawbacks6%

View Results

Which of the following security risks are you most concerned about affecting your organization?

Disruption via ransomware45%

Exploitation via phishing62%

Exfiltration of PII (Personally identifiable information)42%

Disruption via DDoS attacks29%

Disruption of a business-critical application25%

Other (comment below)

View Results

Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?

Sort by:

Content you might like

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

If you use an air-gapped backup solution, would you say there are drawbacks?

Which of the following security risks are you most concerned about affecting your organization?

How are you currently managing SIEM costs? Have you found effective ways to actually reduce storage costs for your SIEM?

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go