Security Metrics Reporting Model
The ComplianceForge Security Metrics Reporting Model™ (SMRM) takes a practical view towards implementing a sustainable metrics reporting capability. At the end of the day, executive management (e.g., CIO, CEO, Board of Directors (BoD), etc.) want an answer to a relatively-straightforward question: “Are we secure?” In order for a CISO to honestly provide an answer, it requires a way for the CISO to measure and quantify an “apples and oranges” landscape where processes and technologies lack both uniform risk weighting and abilities to capture metrics. The SMRM solves this aspect of dissimilarity by utilizing a weighted approach to metrics that generate Key Performance Indexes (KPXs) as a way to logically-organize and report individual metrics. Using KPX enables the SMRM to provide a reasonable and defendable answer.
The “Are we secure?” question is best answered as a numerical score. This quantifiable score is used to visualize the score against a numerical spectrum to provides context, based on the risk profile of the organization. The numerical score would land between “not secure” and “secure” on the spectrum, according to a baseline score definition that would be specific to the organization. This can provide long-term trending to evaluate the direct impact of certain security initiatives. Through automating the SMRM in a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform, the “Are we secure?” question can be both tracked to display trending and can be drilled down into KPXs, or individual metrics, to identify why the score changed.
Organized into five (5) categories, the KPX that help answer specific aspects of the “Are we secure?” question. Since many BoD are now wanting reporting in terms of the NIST Cybersecurity Framework (NIST CSF), the KPX are also aligned with the NIST CSF for added functionality. The KPX include Key Performance Index (KPI) and Key Risk Index (KRI) metrics. The metrics shown in this model are included in the ComplianceForge Digital Security Program (DSP).