• Use of performance measures is an essential part of gathering the information
needed to make informed decisions, especially when it comes to cybersecurity.
• Many executives have found that an important way to organize information effectively
is simply to be informed about the unusual.
• You should measure your cybersecurity posture as part of your efforts to practice
due care and due diligence, monitor and control your information systems, maintain
legal and regulatory compliance, meet contractual obligations, and maintain
certifications.
• Cybersecurity performance measures facilitate decision-making, improve performance
and accountability, and support efforts to reward and discipline your staff.
• There are no universally agreed-upon standard cybersecurity metrics for executives.
• Executives have several key decisions to make about their performance measures:
{ Decide what it is you are going to measure.
{ Decide how you are going to measure.
{ Decide how your metric information will be reported.
{ Decide how your performance measurement program will be implemented.
{ Set performance targets and key performance indicators.
• Every executive should seek to answer the following questions through their
cybersecurity performance measures:
{ What are our threats?
{ How effective are our systems?
{ How vulnerable are we?
{ Do we have the right people, are they properly trained, and are they following
the proper procedures?
{ Am I spending the right amount on cybersecurity?
{ How do we compare to others?
• You can create an executive-level dashboard of performance measures that will
help you answer the cybersecurity questions every executives should ask.
• Recommended cybersecurity performance measures are provided to assist you
create your Executive Cybersecurity Dashboard.
• Your Executive Cybersecurity Dashboard relies on the decisions you make regarding
your key performance indicators.