Achieving Cyber-Risk Directives with Business Metrics

Published On: April 8, 2016

By Chad Boeckmann
April 8th, 2016

One of the key themes we have seen lately is looking at information security programs as a core business function. A recent article by the CIO of GE, Jim Fowler, identifies with this approach by stating his team focuses on aligning to business processes and not technical metrics.

Instead of focusing on technology metrics, Jim’s team focuses on business metrics. “When we deliver on our business metrics, we gain credibility across the company and we demonstrate the value of technology,” says Jim. (Source: HMG Strategy)

Based on a February article written by Deloitte titled “Sharpening the Board’s Role in Cyber-Risk Oversight” the article highlights one of the board’s most important tasks is to:

“verify that management has a clear perspective of how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of a cyber incident—and the ability to mitigate any damages that could occur.”

How does the board know, and for that matter management know, their teams have the skills, resources and approach to minimize likelihood of a cyber security incident?  Also, how does management show they are meeting these requirements while aligning with business metrics instead of technology metrics that management historically has used?

The answer to this question is looking at the entire information security program, cyber-risk a component, in terms of process maturity. By measuring process maturity and using six maturity attributes from COBIT 4.1 (Awareness, Accountability, Policy & Procedures, Expertise, Automation and Measurability) we can begin to represent the performance of each process that composes the information security program and thus meet the demands required by the Board. The MAPP approach (Maturity Assessment, Profile and Plan) ties these pieces together in a simplified manner and uses the TrustMAPP platform to help automate the journey to improved business alignment with both cyber-risk and information security program performance. Now as a security leader the performance over time becomes a key metric for Major Business Objectives and can also tie to annual performance reviews. We have had clients use this approach to be well prepared with the executive leadership team and the Audit Committee meetings regarding their program’s performance. This approach also eloquently highlights areas for improvement and resource requirements needed to make identified improvements.

To learn more take a tour of TrustMAPP by contacting an advisor.

Browse These Topics


boost the protection of your data bridge the gap in your information security challenges build a cyber safe firm business decisions around security Challenges Facing Chief Information Security Officers CISO program efficacy CISO program management cyber security cyber security goals Cybersecurity management Cyber Security Mistakes cybersecurity performance management cyber security platform cyber security team Effective Data Security Measures effectively communicate with board members regarding cyber issues or threats elevate your security confidence elevating information security elevating your information security levels Identify Potential Security Weaknesses Implementing a Comprehensive Cyber Security Plan Implementing Strong Cyber Security Protocols Implementing strong security software protocols improve cyber security protocols Information Security Programs information security protection agency information security risk management information security solutions information security trends managing your information security effectively maturity of your information security and privacy programs measure security levels measure your security proprietary software can help you to protect your company Protect Against Costly Security Breach Protect Customer Data Protect Cyber Network risk management advisor risks of a data breach roadmap to better information security robust security monitoring service successful information security technology advancement top notch security software for your company traveling to high risk countries