Are there any specific KPIs or metrics that you use to measure the effectiveness of your security programs?

We measure a lot of things at Pearson, from number of endpoints that have antivirus or certain controls in place to a number of systems that are patched and when they're patched. We also measure risk exceptions. Then we report not only the number of open exceptions that we have, but the risk level those exceptions have too. So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We've been pretty successful with that.

0 answers

@IT
Lee Vorthman

Lee Vorthman, Director of Information Security

We measure a lot of things at Pearson, from number of endpoints that have antivirus or certain controls in place to a number of systems that are patched and when they're patched. We also measure risk exceptions. Then we report not only the number of open exceptions that we have, but the risk level those exceptions have too. So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We've been pretty successful with that.

Douglas Ljung

Douglas Ljung, Director of Information Security

I think it’s important to measure the human component as well as the technical details. Measuring service uptime, infected devices, incidents/attacks, and Patching/AV status is necessary but not the full picture. I perform phishing tests and nighttime desktop audits to verify people are doing the right things (plus it makes them very aware). I trend audit findings/recommendations to not only fix issues but get to the root cause of an issue that was fixed the year before. Often the root cause for these issues is people and sometimes that people is me. If you have regular third-party audits from customers, regulators, and certification bodies and if some of those auditors are in the financial, healthcare, government or telecom industries you will have enough data to tell you where to focus your efforts.

Forrest Richardson

Forrest Richardson, CIO

Nist tier rank (capability) Training scores (people) Simulated Phishing scores (people) External risk assessment and penetration testing results tied to NIST (snapshots) Incident response readiness (more qualitative) Recovery time objectives and recovery point objective (measured in hours and minutes) Third party risk scores (nist based)

Forrest Richardson

Forrest Richardson, CIO

Also trend lines on vulnerabilities, incidents, suspicious activities

Forrest Richardson

Forrest Richardson, CIO

Vulnerabilities per line of code written. In the development team

Harshavardhan C

Harshavardhan C, CISO

The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.

Yossi Rabinovitz

Yossi Rabinovitz, Director of IT

KPI of security depends on the business line. In my eyes I would look at :  Compliance results ( mainly certificate audits) Penetration results Use of security tools to make users "life" easier Employee education program