What are KPIs?
Key Performance Indicators (KPIs) are measures of performance. They are commonly used to help an organization track progress towards long-term organizational goals by defining and evaluating performance progress. A McKinsey survey reveals that boards share frustration with top executives due to the lack of effective integrated approaches to cyber risk management and reporting.1 Specific gaps that were reported:
Lack of structure. Boards and committees are overwhelmed with reports which include dozens of KPIs. These are often poorly structured and inconsistent, leading to dissatisfaction.
Lack of clarity. Reports often fail to convey the implications of risk levels for business processes, as reporting is often filled with jargon and technical shorthand. The consequence of this is that boards and executives struggle to get a sense of the overall risk status.
Lack of consistent real-time data. Disparate groups in organizations often use different and potentially conflicting information to describe and evaluate the same cyber risk. On top of this, the underlying data is often outdated.
The theme that emerges from these gaps is that organizations are investing resources into risk assessment and reporting, but due to the apparent lack of coordination and finesse, the critical messages are not being received in a clear, accurate, and comprehensive manner. This is where scorecards come in. A scorecard is a vehicle through which all of these pieces of information can be organized, coded, and easily interpreted by a non-technical audience, such as management. In order to develop a scorecard, objectives and “success” need explicit definitions2. With the full involvement of management, targets and measures, leading and lagging indicators, data (in context, with ratios, year-over-year comparisons, etc.), and other KPIs can presented in a color-coded report that provides a clear understanding of what the goals are and what the progress is towards achieving those goals. The scorecard is representative of a Results-based Management (RBM) approach which uses feedback loops to achieve strategic goals.
Organizing KPIs in a scorecard gives confidence that programs are being managed well through transparency. In terms of cybersecurity, scorecards can include KPIs that are indicators of risk, as well as indicators of performance. Examples of cybersecurity KPIs could include levels of preparedness, intrusion attempts, mean time between failures (MTBF), mean time to detect (MTTD), mean time to acknowledge (MTTA), mean time to contain (MTTC), mean time to resolve (MTTR), mean time to recover (MTTR), cybersecurity awareness training results, access management, security policy compliance, non-human traffic, virus infection monitoring, phishing attack success, and cost per incident. By presenting this information in a scorecard that is clear, consistent, and easy to interpret, risk leaders are protecting the organization from any cybersecurity lapses that can result from miscommunication between technical and non-technical factions, and they are fostering trust and confidence as well.
1 McKinsey, 2018, “McKinsey Global Survey”
2 Wagner, 2017, USDA, “Creating a Cybersecurity Scorecard”