Achieving Cyber-Risk Directives with Business Metrics

Published On: April 8, 2016

By Chad Boeckmann
April 8th, 2016

One of the key themes we have seen lately is looking at information security programs as a core business function. A recent article by the CIO of GE, Jim Fowler, identifies with this approach by stating his team focuses on aligning to business processes and not technical metrics.

Instead of focusing on technology metrics, Jim’s team focuses on business metrics. “When we deliver on our business metrics, we gain credibility across the company and we demonstrate the value of technology,” says Jim. (Source: HMG Strategy)

Based on a February article written by Deloitte titled “Sharpening the Board’s Role in Cyber-Risk Oversight” the article highlights one of the board’s most important tasks is to:

“verify that management has a clear perspective of how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of a cyber incident—and the ability to mitigate any damages that could occur.”

How does the board know, and for that matter management know, their teams have the skills, resources and approach to minimize likelihood of a cyber security incident?  Also, how does management show they are meeting these requirements while aligning with business metrics instead of technology metrics that management historically has used?

The answer to this question is looking at the entire information security program, cyber-risk a component, in terms of process maturity. By measuring process maturity and using six maturity attributes from COBIT 4.1 (Awareness, Accountability, Policy & Procedures, Expertise, Automation and Measurability) we can begin to represent the performance of each process that composes the information security program and thus meet the demands required by the Board. The MAPP approach (Maturity Assessment, Profile and Plan) ties these pieces together in a simplified manner and uses the TrustMAPP platform to help automate the journey to improved business alignment with both cyber-risk and information security program performance. Now as a security leader the performance over time becomes a key metric for Major Business Objectives and can also tie to annual performance reviews. We have had clients use this approach to be well prepared with the executive leadership team and the Audit Committee meetings regarding their program’s performance. This approach also eloquently highlights areas for improvement and resource requirements needed to make identified improvements.

To learn more take a tour of TrustMAPP by contacting an advisor.

Browse These Topics


advanced cyber security Affordable Information Security Platform Affordable Security Assessment Tool analyze security data findings analyze your security data ciso CISO investment strategies common cybersecurity questions Common Employee Data Security Mistakes company cyber security plans company that specializes in preventing data breaches cybersecurity budgeting cybersecurity during board meetings cybersecurity is discussed in board meetings data breach readiness Data Security enhanced reporting and management tools Facebook Safety Federal Trade Commission’s cybersecurity standards fighting security attacks improve the overall strength of your company improving the information security of your company increase cyber security across your entire company information protected from a Malicious Cyber Attack Information security intentional data leakage interactive security software platform Keep Cloud Storage Secure long term information security solutions personal information to be protected at all times predict and protect yourself from potential threats prevent a devastating security breach prevent unauthorized access to your network protection from Destructive Malware or a Data Breach Real-time Cyber Security Software real time information security Recent High Profile Companies with Data Breaches security platform security software dashboard for your entire company security team assess risk Simple Internet Safety Understandable Security Assessment Results unintentional data leakage valuable metrics and processes verbally explain the cyber security threats