“What gets measured gets improved”
“What gets measured gets improved”
“What gets measured gets improved”—security metrics are critical to understanding the health of the function and provide a transparent picture of the security organization.
Oversight & Management Controls
Oversight and management controls ensure performance meets expectations. Management oversight ensures everything ties together within a continuous improvement loop. The results provide transparency on the adoption of the controls framework, inform the governance structure, challenge the scope, and lead to gap-based and risk-informed initiatives for inclusion in the business plan.
Review meetings ensure leadership is effectively informed and engaged in driving their respective areas’ performance. These meetings are regularly scheduled to provide management oversight of organizational performance, identify learning opportunities, and support continuous improvement. These should include security stakeholders from throughout the enterprise
Self-assessments answer the question, “How are we doing?” Self-assessments evaluate core function performance in each area by determining current performance, identifying gaps between current and desired performance, and defining strengths and deficiencies. A self-assessments plan is developed and reviewed at the beginning of each year
Peer groups communicate frequently and meet regularly to collectively analyze/monitor core function performance metrics, identify gaps, and drive continuous improvement and core function oversight and support
CAP is a standard approach for issue resolution that provides a formal list of risk-based prioritized issues, a consistent process to investigate and resolve issues, and a mechanism to track all corrective actions
Developing, implementing, and monitoring a comprehensive set of core function performance metrics will set expectations and identify gaps or adverse trends
References
You cannot copy content of this page
