Security KPIs

Building meaningful KPIs isn't an easy task.

My experience with several Enterprise IT and security methodologies and frameworks is that, due to the fact the a) organisations are mostly immature in regard to security, and b) organisations want to have a security framework in place they can trust because they don't understand the full risk picture, involvement with fat frameworks, highly theoretical and difficult to develop in the practice, are very common specially if you think that no enough headcount is normally assigned to the security practice. With that in mind, we can/must simplify the security controls by revising the most necessary indicators, getting rid of those others that only mature organisations, from security angle, are ready to deliver.

On the other hand, the framework or methodology to follow must be the most simplistic posible in order to streamline the control task, avoiding as much as posible the burden of the bureaucracy typically implemented on immature organisations as a result of false security sensation when, in fact, they are simply less developed organisations trying to overcome an difficult IT practice to control risks.

Control objectives

  1. Cloud strategy
  2. Stakeholder communication plan
  3. Security cartography
  4. Documented shared responsibility model + RACI
  5. Security Operations playbook + Run-books + RACI
  6. Security epics plan / Director plan
  7. Incident response simulation

Measurement

Typology

  • [U] –> Unaddressed
  • [E] –> Engaged
  • [C] –> Completed

Values

  • [U] –> 0 or 'Not addressed'
  • [E] –> 1 or 'Addressed in architecture and plans'
  • [E] –> 2 or 'Minimal viable implementation'
  • [C] –> 4 or 'Enterprise-ready production implementation'