Achieving Cyber-Risk Directives with Business Metrics
By Chad Boeckmann
April 8th, 2016
One of the key themes we have seen lately is looking at information security programs as a core business function. A recent article by the CIO of GE, Jim Fowler, identifies with this approach by stating his team focuses on aligning to business processes and not technical metrics.
Instead of focusing on technology metrics, Jim’s team focuses on business metrics. “When we deliver on our business metrics, we gain credibility across the company and we demonstrate the value of technology,” says Jim. (Source: HMG Strategy)
Based on a February article written by Deloitte titled “Sharpening the Board’s Role in Cyber-Risk Oversight” the article highlights one of the board’s most important tasks is to:
“verify that management has a clear perspective of how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of a cyber incident—and the ability to mitigate any damages that could occur.”
How does the board know, and for that matter management know, their teams have the skills, resources and approach to minimize likelihood of a cyber security incident? Also, how does management show they are meeting these requirements while aligning with business metrics instead of technology metrics that management historically has used?
The answer to this question is looking at the entire information security program, cyber-risk a component, in terms of process maturity. By measuring process maturity and using six maturity attributes from COBIT 4.1 (Awareness, Accountability, Policy & Procedures, Expertise, Automation and Measurability) we can begin to represent the performance of each process that composes the information security program and thus meet the demands required by the Board. The MAPP approach (Maturity Assessment, Profile and Plan) ties these pieces together in a simplified manner and uses the TrustMAPP platform to help automate the journey to improved business alignment with both cyber-risk and information security program performance. Now as a security leader the performance over time becomes a key metric for Major Business Objectives and can also tie to annual performance reviews. We have had clients use this approach to be well prepared with the executive leadership team and the Audit Committee meetings regarding their program’s performance. This approach also eloquently highlights areas for improvement and resource requirements needed to make identified improvements.
To learn more take a tour of TrustMAPP by contacting an advisor.