We measure a lot of things at Pearson, from number of endpoints that have antivirus or certain controls in place to a number of systems that are patched and when they're patched. We also measure risk exceptions. Then we report not only the number of open exceptions that we have, but the risk level those exceptions have too. So, if there are 100 critical risks open for longer than a certain period of time, we attract that because it goes back to the conversation of business impact. We try and put a metric and measurement on everything and it ties into not only our strategic goals, but also into our tactical goals for the year. They are also tied to individuals goals to measure how they are trying to drive the security of the business to match those strategic objectives. We do that across the board with the KPIs that we have. We've been pretty successful with that.
I think it’s important to measure the human component as well as the technical details. Measuring service uptime, infected devices, incidents/attacks, and Patching/AV status is necessary but not the full picture. I perform phishing tests and nighttime desktop audits to verify people are doing the right things (plus it makes them very aware). I trend audit findings/recommendations to not only fix issues but get to the root cause of an issue that was fixed the year before. Often the root cause for these issues is people and sometimes that people is me. If you have regular third-party audits from customers, regulators, and certification bodies and if some of those auditors are in the financial, healthcare, government or telecom industries you will have enough data to tell you where to focus your efforts.
Nist tier rank (capability) Training scores (people) Simulated Phishing scores (people) External risk assessment and penetration testing results tied to NIST (snapshots) Incident response readiness (more qualitative) Recovery time objectives and recovery point objective (measured in hours and minutes) Third party risk scores (nist based)
Also trend lines on vulnerabilities, incidents, suspicious activities
Vulnerabilities per line of code written. In the development team
The training scores of security engineers, vulnerability assessment scores, Audit report analysis and quality assurance, Assessment time and response time.
KPI of security depends on the business line. In my eyes I would look at : Compliance results ( mainly certificate audits) Penetration results Use of security tools to make users "life" easier Employee education program