Tag Archives: Metrics

The importance of strategy, metrics and KPIs


  • Security has always been and will continue to be a moving target
  • Information Security has always been and will continue to be a fast moving target
  • Doing ‘security by audit’ only fail. Security strategies are required to adapt to new threats.
  • Strategy, metrics and KPIs must be available and flexible enough to adapt to changes in the business

There are people out there that may remember this:
Centralised computing (Mainframes)->Client/server computing->Centralised  computing(Data centres/virtualisation)->Decentralised computing(Cloud)…

During each stage, information has shifted back and forth between computing models and business boundaries.

What has always been at the core is the ability for any Information Security discipline to identify and secure this information where ever it may be.

There are organisations that are at the cutting edge and there are some that still use mainframes.

If the organisation’s security strategy is to ensure that all systems are behind a perimeter but yet, data is in a 3rd party cloud, the strategy is destined to fail.

This is one the reason why organisations only doing ‘security by checkbox’ continue to get compromised. Iterations of audits/standards must consider change in order to keep pace with the current threat environment. Ticking checkboxes can only provide you with a *baseline* level of security.

Security gaps appear between the last checkbox review and new developments from the adversary.

Strategy or to be precise, Information security strategy is designed to ensure that information remain secure, agnostic of business/computing model.

Strategy should consider and respect the basic security tenets: CIA triad, need to know, data at rest/transit, etc…

Metrics are used to gauge what the current state of play is. Nothing complex, just plain and simple information. Items of interest include: computing equipment, applications, data and associated classifications, etc.

KPIs are used to ensure that any program being implemented meet or exceed the intended level of protection. eg: ‘Strength’ of countermeasure, level of compliance, effectiveness/penetration of policy, etc. This is continuously reviewed based on the security strategy/scope, ie: strategy/scope changes the KPI changes.

As a specific working example (don’t implement to this level of detail, it should be from a higher level)

  • Strategy: ensure that the passwords remain secure and only accessible to me and another person, passwords are to be kept in a centralised location and not transmitted over the wire, etc…
  • Metrics: Who has accessed it? How many times has it been accessed? Number of attempted breaches? Number of successful breaches? etc
  • KPI: Has there been any attempts to gain unauthorised access to the passwords? How long did it take for the breach to be reported? Was it handled promptly and closed?

Without the above, adapting security to a changing environment is an extremely difficult task.