KPIs-KRIs - CyberMaterial

Q: How do KRIs help organizations?

Effective KRIs help to: Identify the biggest risks. Quantify those risks and their impact. Put risks into perspective by providing comparisons and benchmarks. Enable regular risk reporting and risk monitoring. Alert key people in advance of risks unfolding. Help people to manage and mitigate risks.

Key Performance Indicators (KPIs) are the gauges and measurements an organization uses to understand how well individuals, business units, projects, and companies are performing against their strategic goals. Once an organization has identified its strategic goals, KPIs serve as monitoring and decision-making tools that help answer your organization’s key performance questions.

Key Risk Indicators (KRIs) measure risk. KRIs are used by organizations to determine how much risk they are exposed to or how risky a particular venture or activity is. KRIs are a way to quantify and monitor the biggest risks an organization (or activity) is exposed to. By measuring the risks and their potential impact on business performance, organizations are able to create early warning systems that allow them to monitor, manage and mitigate key risks.

Effective KRIs help to: Identify the biggest risks. Quantify those risks and their impact. Put risks into perspective by providing comparisons and benchmarks. Enable regular risk reporting and risk monitoring. Alert key people in advance of risks unfolding. Help people to manage and mitigate risks.

No. Even though many organizations use the terms Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) interchangeably, they are actually two different tools with different purposes.

KRIs must be linked to the company’s strategic priorities, so it all starts with strategy. Each KRI should ideally be linked to a KPI and, in turn, be linked to core strategic goals, priorities, and initiatives. This helps to keep the focus on key risks and not every possible risk that the organization might face.

KRIs should be specific, predictive, and easy to quantify through hard numbers, percentages, or ratios. In addition, for each KRI, you’ll need to identify the relevant thresholds and trigger points – as in, when should your early warning system go off?

Once you’ve got your KRIs and KPIs in place, you need to monitor and track them regularly. How often will depend on the specific KPI and KRI? Some indicators may need to be monitored in real-time, for instance, while others warrant only a quarterly check-in.

It’s also a good idea to review KPIs and KRIs regularly in terms of their relevance to the business. After all, goals and priorities change as a business evolves and this will impact the risk management and performance management metrics that you choose.

Vendor relationships begin and end with contractual obligations.

Therefore, your service level agreements (SLAs) act as a primary starting point for measuring vendor performance. If you include specific metrics as part of your SLAs, you can measure how effective your vendor is in maintaining a secure environment.

Some questions to consider include:

How quickly do they resolve operational and administrative failures?

How often is the system unavailable?

How many times have they been breached?

How often do they update their product?

Do they incorporate continuous cyber security monitoring of their own environment and ecosystem?

There is no authoritative list of cybersecurity KPIs and KRIs that all businesses or organizations should track.

The metrics you choose will depend on your organization’s needs and risk appetite. Those metrics should, however, be clear to anyone looking at your reporting. For instance, your business-side colleagues should be able to understand them without an explanation.

To choose the KPIs that are best suited for your business, take the following steps:

1. Write a clear objective for each KPI.

2. Share each KPI with stakeholders.

3. Review each KPI regularly.

4. Make sure each KPI is actionable.

5. Adjust each KPI as necessary to fit your business’s changing needs.

6. Confirm that each KPI is attainable.

7. Update each KPI objective as needed

The KPIs you choose should be clear and relevant and give a full picture of your organization’s cybersecurity measures.

That said, metrics should focus on identifying assets and building lines of defense to best contribute to your organization’s efforts to protect the enterprise. KPIs should help optimize cybersecurity by allowing you to focus on stopping low-value activities, increasing efficiency, and reinvesting funds in emerging and innovative technologies to enhance your protection.

You may also need to choose benchmarks for your vendors and other third parties who have access to your networks and can expose your organization to risk.

To determine which KPIs to track, examine your organization’s overall security program maturity from the top down. Identify the main categories you need to measure and follow them with sub-metrics that contribute to the main categories’ overall scores.

Not committing to make changes based on metrics Measuring too much, too soon, too little, or too late Measuring the wrong things Not defining metrics precisely Not using data to evaluate individual or personnel performance Using metrics to motivate rather than understand Collecting data that isn’t used Having a lack of communication and training Misinterpreting data

Metrics collected and reported should follow the “SMART” structure: Specific: targeted to the area being measured, not a byproduct or result Measurable: data collected is accurate and complete Actionable: easy to understand the data and take action Relevant: measure what’s important about the data Timely: data is available when you need it