| |NOVEMBER 202319CIOReviewMETRICS AND KPIS. WHAT ARE THEY AND WHERE DO I START?By Ed Harris, Global Director of Information Security, Mauser Packaging SolutionsMr. Harris is pursuing his Doctorate in Information Assurance and has 32+ years of Network and Security experience. He is a Certified Information Systems Security Professional and has spent 12 years in academia teaching Computer Security. Mr. Harris is a security evangelist, author, and international speaker and has spoken academically and professionally for more than 29+ years. Metrics and KPIs are the hallmark of any mature program (regardless of the program). While these two indicators are not specific to IT or sub-discipline, they can help tell the story of how a program operates. Let us start with a few definitions to level set.A "metric" is a quantifiable measurement or standard used to assess, compare, and evaluate various aspects of a system, process, or phenomenon. For example, a company identified and blocked 4,000 malicious emails in the prior month. In the next month, they identified and blocked 5,000 malicious emails. This metric tells the story of an increase of 25%. As this percentage continues to grow, leadership has an opportunity to begin taking their email security to the next level.A "KPI" (Key Performance Indicator) is a specific metric used to measure the performance of an organization/team toward achieving its goals and objectives. For example, a KPI may be the goal of blocking 100% of the malicious emails that are sent to your company. For the previous month, you stopped 4,000 messages. For the next month, you blocked 5,000. Month over month, you continue to meet the objective of blocking 100% of the malicious email. But what happens when the number of malicious emails exceeds the capability of your email security? When your KPI for this objective drops below 100%, then this indicates that you have a deficiency in your program that needs attention.Where do I start?Defining a metric and KPI program is not difficult. It is always best to start with what you have. You likely patch systems regularly. Hopefully, you have some email security and are doing some vulnerability assessments. Most companies probably have a firewall with some form of Intrusion Detection or Intrusion Prevention.MetricFrequencyKPINotesHow many viruses or malware are being blocked monthly by your AV solution? Track in Excel for six months and use a trend line. Is my AV solution capable of detecting new viruses and malware? I f YES, then your AV program is running well. If NOT, then resolve.How many viruses and malware are being blocked by your email solutions?Track in Excel for six months and use a trend line.Can my email security detect new viruses and malware?If YES, then your email security program is running well. If NOT, then resolve.How many workstations were fully patched this month?Track the percentage of systems fully patched monthly. Choose a reasonable target, like 90% or higher.Given the organization's size, expecting 100% patching success is unrealistic. It only takes one person to go on vacation and miss their monthly patching to affect this KPI.How many servers were fully patched this month?Track the percentage of systems fully patched monthly.Choose a reasonable target, like 95% or higher. It is reasonable to have nearly 100% patch for servers. But some business drivers (like month-end closing) may keep some servers from being taken offline to patch.How many malicious attempts to break into the company did the firewall block?Track the number of attempts over six months.Has my firewall allowed any traffic that is considered suspicious? If so, then you may need to upgrade its capabilities and throughput.The above metrics and KPIs are simple, straightforward, and easy to gather and report to senior leadership. As you add additional capabilities, identify metrics that show what the organization is experiencing and identify KPIs to show if the metrics are operating optimally. CXO INSIGHTSDefining a metric and KPI program is not difficult. It is always best to start with what you haveEd Harris
< Page 9 | Page 11 >