There is no iota of doubt of the huge and sometimes irreversible damage potential of not investing in information security. However, managers have not always been very successful in showcasing returns on these investments. As the adage goes no news is good news. This is particularly relevant in security investments. If business operations are running smoothly without any security incident, there is a huge business value that the security investment has created. However, there are always some metrics which can be clearly presented to showcase tangible benefits achieved from any information security or compliance project. So here are some of the metrics, which I have used in my career so far for various information security and compliance projects in TCS.
For data retention and data protection compliance/ regulation related projects:
As part of the data retention policy enforcement/ implementation, ensure that count of records de-personalised/ masked/ anonymized or deleted is captured.
The volume of records de-personalised every quarter in itself is a very good metrics to share with management to showcase the potential risk which has been mitigated.
- Another metric can be the percentage of data records de-personalised against the data records which must be de-personalised based on the approved corporate retention policy. This metric can be shown against each data asset or across the entire IT landscape of a department, organization or subsidiary.
For access recertification/ review projects:
Number of privilege accounts which were assigned owner
Number of privilege accounts which were attested
Number of privilege accounts which were revoked
Number of privileges which were revoked
- Number of system admin access in database after access review
For security logging and monitoring projects:
Number/ percentage of applications with logging and monitoring
Number/ percentage of applications with capability to provide notification of breach
Number of security incidents reported from security logs
- Percentage of security incidents reported from security logs which needed remediation
Additionally, there are a number of metrics which can showcase strengthening security posture. Some examples are applications with strong passwords, percentage completion of security training by internal employees and vendors, the number of critical applications with penetration testing, number of critical and high defects detected from penetration testing etc.
All these metrics need to be tied down to action against regulatory compliance, security requirement or security risk to showcase the return on investment or business value creation by a security project.