Business has finally realized the importance of cybersecurity. However, it has turned out that few companies measure value and effectiveness of their cybersecurity activities. Metrics though provide a clear understanding of how properly the process works and how it works for the business.


According to the Thycotic’s SMI (Security Measurement Index) benchmark survey, 58 percent of the respondents failed to answer right when asked to evaluate their cybersecurity activities comparing to the cybersecurity investments and best practices.


The survey revealed that even though companies spend more than $100 billion a year on cybersecurity, 32 percent do this blindly.


Moreover, 80 percent of respondents have not included business users in the process of purchasing cybersecurity products. They had also failed to organize a corresponding committee to evaluate the risks that might have come from the cybersecurity investments.


Information Security Forum, a nonprofit association that analyzes security and risk management, has found out that many CISOs defined the wrong KPIs (key performance indicator) and KRIs (key risk indicators). This can be due to the lack of interaction between CISOs and people who they report to. And guesses usually work poorly.


ISF has made it easier for the companies to synchronize business and security departments with its 4-phase process of KPI and KRI development. The plan can be deployed at all the levels of business:


  1. 1. Study and define the business context, common interests for both departments and combinations of KPIs and KRPs.
  2. 2. Create proper vision by engaging the departments to participate in producing, calibrating, and interpreting the KPIs and KRPs combinations.
  3. 3. Generate influence with engagement to recommend about common interest and decisions about the next steps.
  4. 4. Makeup and follow the learning and improvement plans.


Engagement, being the core part of every step, can be delivered through the relevance. That is the right data, structured in the right way and targeted at the right audience. According to the ISF, to establish the relevance of data, the company needs to:
1. Understand the business context.
2. Define the audiences and collaborators.
3. Identify common interests.
4. Outline the main information security priorities.
5. Develop KPI and KRI combinators.
6. Test the developed combinators.


Once the data accumulated, it is important to get insights from it. ISF has developed a direction for this, too:
1. Define the data.
2. Generate and differentiate KPI/KRI combinators.
3. Interpret the combinators to get the insights.


Decisions and actions are derived from the conclusions, proposals, and recommendations. After that reports are created and presented, and the next steps are presented and agreed. The whole process ends up with learning and improvement plans forming on the previous steps.


As stated by ISF, the whole process leads to the data-driven decisions with an accurate vision of risks and performance. This will lead to the proactive and adequate reaction of the information security department to the business needs.