Define and evaluate Key Performance Indicators
A Key Performance Indicator is a measurable value that demonstrates how effectively a company is achieving key business objectives. You can use KPI's to evaluate your success in reaching your Security Program Targets.
KPI's should be aligned by the business, and driven and defined by Senior Management, based on the desired outcome of your ICT Security Program.
KPI's are not static, and will need to be updated at regular intervals. KPI's can change because of technical parameters (e.g. a move to the cloud) or from business parameters (a shift in how your business is operating).
Setting the correct KPI's for your environment can be a challenge. International standards, local law compliance or industry best-practices can help you setting the correct KPI's for your organization.
One way to evaluate the relevance of a performance indicator is to use the SMART criteria. This stands for Specific, Measurable, Attainable, Relevant, Time-bound.
In other words:
- Is your objective specific?
- Can you measure progress towards that goal?
- Is the goal (realistically) attainable?
- How relevant is the goal to your organization?
- What is the time frame for achieving this goal?