In the previous two columns I asked a few questions and discussed the concepts of what is security’s role and how would you evaluate security’s role? I’d like to dive into a specific risk-based security measurement, which is Key Risk Indicator, or KRI.
The previous articles focused on security’s role as being risk based. Yet, our outputs are often targeted towards communicating the effectiveness and efficiency of our tasks, which don’t necessarily reflect the security risk role that we play.
That’s where a KRI can communicate security’s role as being risk based and provide a vehicle to present a metric or output specifically targeting and communicating that role.
What is a KRI and how do you build one? Wiki says, “A KRI is a measure used in management to indicate the risk level of an activity. Key Risk Indicators are metrics used by organizations to provide an early signal of increasing risk exposure in various areas of the enterprise.” In this example, the “area” in the enterprise would be security, as an entire program or broken down to a security function. I suggest having a KRI for each major function or program. There should be a KRI for physical security, information security, fraud management, cyber, BCM, etc., and they can be broken down further as needed.
To build a KRI, you first need to scope out the area (function, risk, program) it should apply to. It should be developed with the asset owners and stakeholders, with security’s input and guidance as subject matter experts. It should be able to communicate that the security risk tolerance is or is not being met. Start that simple. The metric could be a number, a percentage or even a subject matter opinion…call it a gut instinct, so long as it’s agreed upon. Then, report to it with supporting data to back the KRI findings.
Here are some examples. For cyber, a vulnerability management program may report metrics on the number of vulnerabilities and how quickly they get resolved. The KRI, however, may measure not the quantity of vulnerabilities, but how many impact critical company assets that haven’t been resolved in 10 days, because that’s what was tolerable. If there are more than one, that could be the KRI. Maybe it’s 10.
Fraud management may be the percentage of recent sales that never pay a monthly bill. It’s probably not zero percent, but maybe it’s an agreed percentage of five. That would be the KRI.
For workplace violence, it could be the experience of the HR and security lead’s collective judgement, and agreed upon by the stakeholders. That is a KRI, as well. It’s different than reporting the number of workplace violence threats that came in that month, and it definitely communicates a different viewpoint.
Keep in mind that a KRI doesn’t have to communicate a metric. It should, however, reflect the role of security and the role that security plays with an enterprise security risk management (ESRM) focused security program.