Delivering Metrics
Sample Engagements
Capability Assessment
4 - 6 week engagement identifies the following requirements:
Starting Out
New Metrics
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Initial agreement of metrics with stakeholders
Step 2:
Stakeholder review Incl.
data providers
Step 3:
Data collated for new metrics
Step 4:
Review of metrics results with business
Growing Up
Dashboard
Enhancements
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Stakeholder requirements workshops
Step 2:
Enhanced dashboards agreed
Step 3:
Dashboard technology updated
Step 4:
Rollout to business stakeholders
Maturity
Asset Management
Initial Agreement
of Metrics, RAGs,
and Dashboards
Step 1:
Asset data providers workshops
Step 2:
Data provided and integration to technology
Step 3:
Visualisations updated with the new data
Step 4:
Asset improvements identified
Different starting points, same direction of travel
What Success Looks Like: Critical Factors
Success looks like risks moving within tolerance and to appropriate timelines. To make that happen effectively:
​
All measureable controls have metrics.
The metrics include the different control dimensions.
People understand the metric specifications.
Pragmatic risk tolerances are agreed.
Dashboards support the needs of each stakeholder.
​
​
Success Outcomes
Control weaknesses and priority are visible to stakeholders
Remediation owners know specific assets to be addressed
An overall reduction in security risk
What Success Feels Like: Security Risk Reduction
This is a typical maturity journey post implementation:
Day 0
Business awareness of activity increases.
Metric changes status to amber or red.
Business views metric results.
