One of the conversations that I've had with many people is around metrics and KPI's. I'm a strong believer that we have not gotten to actual KPI's in industry. To take it a step further, most of us feel that our metrics are pretty bad (See S3 results). Last week I sat down to put the final touches on our new risk methodology document and came up with some ideas that I'm not batting around. Nothing earth shattering but I can finally see the last pieces of the puzzle fall into place.
If you remember, I posted a while ago about the equilibrium theory as well as flow management. Part of the equilibrium is to gather data from leaders in the company to get to an approximation on how much loss they are willing to accept. Not to be confused with ALE. To do this, I decided to gather 20'ish questions that focus on the risk categories (Value, Brand and Operations) to put risk into context. What came out was very interesting.
Not only was I able to gather an understanding on what is acceptable to govern the level of controls we implement, but I also got a metric. I now have the ability to establish the acceptable level of security performance for the company from the business. i.e. $2M is allowed in remediation costs, 2 public breaches, etc. If done right I should have 3-5 metrics for all of Security.
More to come on this later.