Wednesday, October 10, 2007

What are your thoughts on Key Performance Indicators or Criteria for Information Security?

Q:What are your thoughts on Key Performance Indicators or Criteria for Information Security?

A: Hi ...,
I strongly believe that key performance indicators for information security have 2 major categories:

1- Risk Related
2- Business Related

There are several readers on this page who can elaborate more about the risk related KPIs. A security KPI can only indicate something relevant only if it is tied to a risk measurement framework. You can measure any metric delta in any of the systems that you can get data from (viruses blocked, attacks succeeded, malware identified etc), but only the metrics that create the risk visibility and the naturally the business impact will help you to have the right measurement. Long story short, good KPIs are the ones that show delta in your risk status. A change in number of the spam e-mail received on a certain domain may mean nothing if it is hosted and filtered at a remote provider and the domain is not in use by your operation.

Second and important category is naturally your business. There are times when your security initiatives are driven by tactical and strategic business needs. I can list hundreds of them but if you want to categorize here are the main business drivers.

1- Reducing cost
2- Increasing efficiency
3- Competitive Advantage’

You may try to map the 3 items into a risk framework but I would rather not. You need to share the same goals with the business (the old aligning IT/Security with the business problem). And if your security related activities can create qualitative/quantitative metrics on how you reduce cost, increase efficiency and create competitive advantage, there you have the good KPIs. e.g. “We moved our e-mail cleansing to a 3rd party, now our cost is lower, we have more resources to focus on core projects, we have due diligence with e-discovery requirements, and now we have a greener data center :) here are the KPIs….”
Let me know if you have a specific question,
regards,
- yinal ozkan

Add this post to:

DiggIt!| Reddit| Technorati|

Posted by yinal at

1 comment:

Anonymous said...

KAFADANCE
Bppf

December 15, 2009 at 3:41 PM

Post a Comment

Subscribe to: Post Comments (Atom)