Metrics to Quantify Value Creation By Security and Compliance Projects

There is no iota of doubt of the huge and sometimes irreversible damage potential of not investing in information security. However, managers have not always been very successful in showcasing returns on these investments. As the adage goes no news is good news. This is particularly relevant in security investments. If business operations are running smoothly without any security incident, there is a huge business value that the security investment has created. However, there are always some metrics which can be clearly presented to showcase tangible benefits achieved from any information security or compliance project. So here are some of the metrics, which I have used in my career so far for various information security and compliance projects in TCS.

For data retention and data protection compliance/ regulation related projects:

  •  As part of the data retention policy enforcement/ implementation, ensure that count of records de-personalised/ masked/ anonymized or deleted is captured.
  • The volume of records de-personalised every quarter in itself is a very good metrics to share with management to showcase the potential risk which has been mitigated.
  • Another metric can be the percentage of data records de-personalised against the data records which must be de-personalised based on the approved corporate retention policy. This metric can be shown against each data asset or across the entire IT landscape of a department, organization or subsidiary.

For access recertification/ review projects:

  • Number of privilege accounts which were assigned owner
  • Number of privilege accounts which were attested
  • Number of privilege accounts which were revoked
  • Number of privileges which were revoked
  • Number of system admin access in database after access review

For security logging and monitoring projects:

  • Number/ percentage of applications with logging and monitoring
  • Number/ percentage of applications with capability to provide notification of breach
  • Number of security incidents reported from security logs
  • Percentage of security incidents reported from security logs which needed remediation

Additionally, there are a number of metrics which can showcase strengthening security posture. Some examples are applications with strong passwords, percentage completion of security training by internal employees and vendors, the number of critical applications with penetration testing, number of critical and high defects detected from penetration testing etc.

All these metrics need to be tied down to action against regulatory compliance, security requirement or security risk to showcase the return on investment or business value creation by a security project.

Rate this article: 
Average: 1 (2 votes)
Article category: