Achieving Cyber-Risk Directives with Business Metrics

Published On: April 8, 2016

By Chad Boeckmann
April 8th, 2016

One of the key themes we have seen lately is looking at information security programs as a core business function. A recent article by the CIO of GE, Jim Fowler, identifies with this approach by stating his team focuses on aligning to business processes and not technical metrics.

Instead of focusing on technology metrics, Jim’s team focuses on business metrics. “When we deliver on our business metrics, we gain credibility across the company and we demonstrate the value of technology,” says Jim. (Source: HMG Strategy)

Based on a February article written by Deloitte titled “Sharpening the Board’s Role in Cyber-Risk Oversight” the article highlights one of the board’s most important tasks is to:

“verify that management has a clear perspective of how the business could be most seriously impacted, and that management has the appropriate skills, resources, and approach in place to minimize the likelihood of a cyber incident—and the ability to mitigate any damages that could occur.”

How does the board know, and for that matter management know, their teams have the skills, resources and approach to minimize likelihood of a cyber security incident?  Also, how does management show they are meeting these requirements while aligning with business metrics instead of technology metrics that management historically has used?

The answer to this question is looking at the entire information security program, cyber-risk a component, in terms of process maturity. By measuring process maturity and using six maturity attributes from COBIT 4.1 (Awareness, Accountability, Policy & Procedures, Expertise, Automation and Measurability) we can begin to represent the performance of each process that composes the information security program and thus meet the demands required by the Board. The MAPP approach (Maturity Assessment, Profile and Plan) ties these pieces together in a simplified manner and uses the TrustMAPP platform to help automate the journey to improved business alignment with both cyber-risk and information security program performance. Now as a security leader the performance over time becomes a key metric for Major Business Objectives and can also tie to annual performance reviews. We have had clients use this approach to be well prepared with the executive leadership team and the Audit Committee meetings regarding their program’s performance. This approach also eloquently highlights areas for improvement and resource requirements needed to make identified improvements.

To learn more take a tour of TrustMAPP by contacting an advisor.

Browse These Topics


Assess Company's Security Readiness automate and visualize information security risk management better understanding of their information security management boost the confidence of board members boost the protection of your data corporation’s information security create a security roadmap cyber attack Cyber defense experts cyber security determining cyber risks developing security programs across the business Easy to Understand Data Security Solution effective cyber security software Effective Data Security Measures Good Cyber Hygiene guide development of a strong information security high quality cyber security tools house being robbed Identify Potential Security Weaknesses information security dashboard information security management information security managers information security platform Information Security Programs maintain advanced cyber security maintain the control and strength of your firm’s cyber security manage security programs success Managing information security prioritize security functions professional information security Progressive Data Security Solutions Proposing solutions to cyber threats reliable cyber security platform reliable information security dashboard responsibilities of a CISO risk assessment software stay ahead of potential cyber threats strengthening your company’s security measures strength of your company’s information security strong information security programs vCISO Visualization of Information Security Risk Management Visualize Information Security Risks visual representation of security risk in an organization