‘You can’t improve what you don’t measure’ – so goes the theory, at least. This quote is attributed to the US economist Peter Drucker, who was convinced that target agreements are a crucial foundation of successful business management.
It’s the same in information security (InfoSec), where a few well-established KPIs (an acronym standing for key performance indicators) are the name of the game – KPIs such as the time between incidents, the time it takes to recover from incidents, and average cost per security incident.
In general, the measurement of KPIs helps companies set and reach their strategic goals.
Companies often simply measure the end results of their information security strategy, neglecting its drivers – that is, the metrics that reflect the progress of the company’s information security management system (ISMS). This article outlines how you can do things better.
The facts in a nutshell
- KPIs should be specific and measurable in addition to impacting the success of overall business objectives.
- Mapping KPIs in a chart known as a ‘balanced scorecard’ allows you to look at InfoSec success from different perspectives.
- KPIs can help determine which information security investments are financially worthwhile.