Percentage of System Changes Not Mirrored on Backup Systems Within 24 Hours Following Launch All Systems The number of system changes that were successfully launched to the live environment that were not mirrored on backup systems within 24 hours following the successful launch as a percentage of total changes successfully performed during the measurement period. The best IT security professionals use metrics to tell a story, especially when giving a report to non-technical colleagues. What would you add or remove to best define and describe the performance of your cybersecurity program? A good rule of thumb is if your non-technical stakeholders can't understand them, you need to pick new metrics or do a better job of explaining them. How many users have administrative privileges? OWASP. Percentage of Critical Systems without Up-to-Date Patches The total number of critical systems (all deployed instances of the system or application running on each device/workstation) that do not currently have up-to-date patches installed and running as a percentage of total critical system end user devices/workstations. Recent big headline data breaches of customer data include; Target in 2013, Experian in 2017, and now Facebook in 2018. Percentage of Firewall Rules Added or Changed Within Last 90 Days That Were Formally Documented The number of changes to firewall rules that were applied to the companys firewall (across all firewall applications/systems in use) that were formally documented according to the companys policies/procedures as a percentage of total firewall rule changes applied within the last 90 calendar days. This shouldn't be too hard to justify, given that the average data breach costs organizations $3.92 million globally and $8.19 million in the United States. Percentage of IT Projects Reworked Due to Misaligned Requirements Within the Last 90 Days The number of IT projects that, within the last 90 days, required re-scoping or re-prioritization due to business requirements that were not clearly defined, or were not sufficiently reviewed by key stakeholders prior to project launch as a percentage of total IT projects running. 4. Learn more about UpGuard's executive reporting capabilities. Instant insights you can act on immediately, Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities. Security ratings can feed into your cybersecurity risk assessment process and help inform which information security metrics need attention. They can stop an organization from developing the exciting processes that will make them leaders in their space. The OneTrust GRC and Security Assurance Cloud brings resiliency to your organization and supply chain in the face of continuous cyber threats, global crises, and more - so you can operate with confidence. An ineffective cybersecurity governance program will lead to increased security breaches, compromises, and attacks. . How many times have bad actors attempted to gain unauthorized access? How long does it take your team to implement application security patches or mitigate high-risk CVE-listed vulnerabilities? What is the mean response time for your team to respond to a cyber attack once they are aware of it? Average Page Views per Visit The average number of individual web pages viewed by a website visitor during the course of a single visit, or session, during the measurement period. Level of Preparedness How many devices on your corporate network are fully patched and up to date? Send your ideas to info@sei.cmu.edu.