Building Cybersecurity KPIs for Business Leaders and Stakeholders

The truth is that in today’s hyperconnected world, maturity-based cybersecurity programs are no longer adequate for combatting cyberrisks. A more strategic, risk-based approach is imperative for effective and efficient risk management (Exhibit 2).

Executives are often forced to make sense of a long list of sometimes conflicting metrics. By linking KRIs and KPIs, the cybersecurity team gives executives the ability to engage in meaningful problem-solving discussions on which risks are within tolerances, which are not, and why (see the sidebar, “Linking a KRI to a KPI”).

To improve decision making at this level, the metrics provided by the security team must be risk based and framed in a way that aligns with business drivers.

Now, let's think about this example in terms of cybersecurity.Your organization uses the NIST cybersecurity framework as a scoreboardto say, here's where we are in terms of our cyber maturity score.We think the attackers are currently ahead of us, and we need to increaseour maturity on these three important items before the end of the year.And if w

Get your business units to pull help from security and not have security keep pushing improvements on them. The main thing is for the CEO to not just provide support and resources for the CISO but to actually change the dynamic by regularly expecting each business line executive or functional leader to be able to articulate at some appropriate leve

One way to think about KRIs and KPIs is with regard to the relationship between altitude and trajectory. A KRI gives the current risk level of the enterprise (the “risk altitude”) while the KPI indicates the direction toward or away from the enterprise-risk-appetite level (“risk trajectory”). An enterprise may not yet have arrived at the leadership