Information Risk Metrics — Necessary But Not Sufficient

IREC members overwhelmingly report that improving the information risk metrics program is at or near the top of their agenda for 2010.  Almost to an individual, CISOs tell us that the ROI calculation for their metrics program isn’t nearly what it should be.  Years of ongoing investment—staff time to collect and report metrics, expensive technologies to aggregate data feeds, etc.—have led to just a marginal improvement in tangible outcomes.

Organizations use metrics in the service of three major outcomes: 1) Communicate persuasively with executives; 2) Improve internal efficiency; and 3) Track the risk landscape.  In each case, good metrics are a necessary but not sufficient mechanism for solving the problem, and leading organizations are working to find the correct balance between metrics and other decision tools.

Outcome #1: Persuasive Communication with Senior Management

The most common use of information risk metrics, this approach relies on metrics to convey information about the current and desired state of the information risk environment.  Relying heavily on metrics to drive these conversations, however, causes organizations to present either overly technical or highly abstracted information with little value to a lay audience.   Leading organizations are relying on a small set of executive-communication tools, including operational metrics but also maturity models, effective presentation templates, and more to ensure they present a holistic description of the function.

Outcome #2) Improve Internal Efficiency

Metrics reporting on the performance of security process and technologies can serve as the foundation for identifying operational issues within the security function.  Monitoring differences over time and across operating units can provide great visibility into functional performance.  However, many useful metrics are expensive to monitor and organizations risk misallocating resources by over-relying on data that are easy to gather.  Some leading organizations are taking the “Jack Welch” approach to metrics, culling the least valuable 10 to 15 percent of their metrics each year to ensure they are not over-investing in metrics collection and maintenance.

Outcome #3) Track the Risk Landscape

This approach relies on metrics to capture information about changes to the internal or external threat environment before they result in an incident or other problem.  Organizations struggle to identify metrics that truly serve as leading indicators of risk, and further struggle to set appropriate thresholds for taking action against them.

IREC’s metrics-related research is a work in progress, and we continue collecting input and feedback along the way.  Are we missing anything in this list of uses for metrics?  Have you made progress against any of these outcomes in an interesting way?  Let us know, by e-mail or in the comments below.  We’re looking forward to the discussion.

Explore posts in the same categories: Communication, Information Risk Governance

Tags: , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: