“Are we there yet?” is a familiar refrain heard from the back seat on long car trips. My parents used to hand me the map and say, “Here, look for yourself!” It was always obvious that we had not arrived yet, but at least by looking at the map and highway signs, I could determine roughly where we were. Similarly, senior executives in an organization often ask the CISO a deceptively simple question, “Are we secure?” The fact is security is a journey and not a destination. It’s no coincidence the term, “security roadmap,” is used so often.
As security professionals, we have many tools to determine where we are and whether we have arrived at our destination or met our objectives. Some of those tools include Self-Assessment Questionnaires (SAQ) discussed in the previous post, maturity models, audits, assessments and frameworks. One often overlooked tool are key risk indicators.
Key risk indicators (KRI) are the highway signs of the security journey, akin to “Bridge Freezes Before Road,” and “Dangerous Curve Ahead.” By collecting data on how well an organization is addressing critical risks, KRIs inform the organization about potential future risk. It may be obvious that most people would like to be informed the bridge is out ahead while driving their car, it’s striking how many organizations don’t track even the most basic KRIs, a few of which I have outlined below.
Key Risk Indicator 1: Security Awareness
The percentage of employees who have received basic security training in a given week/month/quarter is a strong indicator of your organization’s ability to identify and avoid a successful phishing attack, provided the training is effective. The ideal percentage completion would be 100 percent, but what percentage of employees have received basic security awareness training at your organization and is that level acceptable?
Key Risk Indicator 2: Malware Prevention
Anti-virus or anti-malware is often seen as a “set and forget” function, but there are many subfunctions that must work together to effectively protect devices. Some great malware-prevention KRIs include what percentage of your organization’s devices have anti-malware installed? How many of those devices have protection enabled or full scans scheduled to run. When did the anti-malware protection last report its status to the management console? How many devices have malware signatures updated within the last 12 hours? A low percentage of compliance in any of the above areas can indicate increased risk to the organization.
These simple starter KRIs should be something every organization collects. The best part is that the above examples are probably not going to cost you anything to start doing today, except the time to gather the information.
KRIs can be created for almost anything, but which ones are meaningful depends on each organization. Effective KRIs have a few things in common; the associated Information must be available, measurable, timely, accurate and meaningful. Most importantly, your organization must set the level at which the condition is unacceptable, and corrective actions should be taken. An example is shown below as “Percentage of Devices with Anti-Malware Enabled,” by month.
Month/Percent Compliant
January/97
February/98
March/88
April/82
May/79
June/76
If an organization established 98 percent coverage as the objective for anti-malware protection but tolerated a three percent deviation, actions should have been taken in March to determine the cause of the decrease in anti-malware protection. Reduced anti-malware protection coverage is a key risk indicator that can predict anything from an employee inconvenienced by the time needed to re-image a device from a minor infection to a full-blown malware outbreak at your organization.
Ultimately, each organization is on its own security journey, and no one can control the twists and turns of the road ahead or the surface conditions. Properly applied, KRIs can provide critical indicators of when it’s time to slow down or pull over.
If you’re interested in learning more about how KRIs can benefit your organization, contact me at info@southlakecyber.com or call 352.936.1886.
