Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?

Security & GRCKPIs, Metrics & Reporting
14k viewscircle icon3 Upvotescircle icon7 Comments
Sort by:
CASH Europe IT Director in Transportation6 years ago

KPI of security depends on the business line. In my eyes I would look at : 
Compliance results ( mainly certificate audits)
Penetration results
Use of security tools to make users "life" easier
Employee education program

Lightbulb on1
Associate Director in Software6 years ago

The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.

Lightbulb on1
CIO in Finance (non-banking)6 years ago

Vulnerabilities per line of code written. In the development team

Lightbulb on1
CIO in Finance (non-banking)6 years ago

Also trend lines on vulnerabilities, incidents, suspicious activities

Lightbulb on2
CIO in Finance (non-banking)6 years ago

Nist tier rank (capability)
Training scores (people)
Simulated Phishing scores (people)
External risk assessment and penetration testing results tied to NIST (snapshots)
Incident response readiness (more qualitative)
Recovery time objectives and recovery point objective (measured in hours and minutes)
Third party risk scores (nist based)

Lightbulb on1

Content you might like

We are looking into Purview for Data Catalog, Data Map capabilities. There were multiple threads ~1 year ago with less positive feedback. 

Has things changed since then? Has anyone implemented in recent months and how was your experience. We are looking at data sources such as ADLS, Synapse, Power BI and number of SaaS softwares.

Is employee self reporting reliable enough to measure value gains (or even time savings) from AI projects? If not, what’s your approach?

I'd like to discuss the privacy and data security implications of compromised accounts where a CoPilot (such as Microsoft's) is profiled on an account. It's clear that this poses a significant security risk, as a CoPilot with access to all our Graph services presents a unique attack vector. Those interested in learning more about what can be accessed and seen should feel free to ask. In cases where an account has been hacked, a thorough data-mining activity is often necessary to assess the extent of the breach. Have you thought about?

I don't have any concern about.16%

I feel there is a gap... but I haven't thought about before75%

I already have something on track to fix it6%

Other1%

View Results

Do you think your board/executive leadership understands cybercrime as an industry in itself?

Yes45%

Some but not all46%

No7%

I don’t know

View Results

I’m reaching out to connect with peers in State K-12 education agencies who have developed home-grown solutions for assigning and managing Unique Student Identifiers (UIDs)—particularly for enrollment tracking and state/federal reporting. If your organization has implemented an in-house system for student ID management, I’d greatly appreciate the opportunity to learn from your experience.