This document discusses metrics, measures, and myths related to security metrics. It begins by defining some key terms and presenting quotes emphasizing the importance of measurement. It then addresses five common myths about metrics and emphasizes that metrics should be used to identify opportunities and drive improvement, not to punish people. The document outlines characteristics of good metrics and provides examples of security metrics and key performance indicators. It discusses how metrics can be displayed in dashboards and how monitoring transforms data into useful security information and knowledge.
Introduction to the Agile methods used at InfoJobs. Description of the Agile manifesto and principles. Overview of Scrum, kanban and scrumban as used at InfoJobs.
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
The document is a presentation by Marc Vael from Valuendo titled "25 tips & tricks" for an InfoSecurity 2009 conference in March. It discusses 25 common misconceptions about information security. Vael polls the audience on their level of agreement with statements and lessons related to how security is understood, budgets are determined, policies are followed, and risks are managed within organizations. The presentation aims to challenge assumptions and encourage best practices.
Issa Charlotte 2009 Patching Your UsersMike Murray
This document discusses how social engineering threats have replaced direct technical vulnerabilities as the main security risk, due to improvements in operating system security. It argues that traditional security awareness training does not effectively change user behavior because it is treated as mandatory training rather than persuasive marketing. The document advocates applying marketing principles to security awareness, including defining goals, measuring baseline user knowledge, developing an integrated marketing campaign using various communication channels, and re-measuring to evaluate impact and guide iterative improvement of the campaign. A case study example shows how these principles could be applied to a goal of improving password strength.
The document discusses auditing IT compliance and governance. It introduces CobIT, an IT governance framework that can be used to manage IT risks and compliance. CobIT provides over 300 control objectives that help ensure business objectives are met and undesired events are prevented or detected. The document outlines how CobIT can be used to design, implement, assess, and monitor an organization's IT compliance program.
Business is evolving, and IT governance frameworks like COBIT can help organizations adapt. COBIT provides a comprehensive framework for ensuring IT is properly governed and aligned with business needs. It addresses key areas like strategic alignment, value delivery, risk management, and resource management through establishing clear processes and controls. By implementing COBIT, organizations can improve transparency, accountability, compliance and overall IT performance.
The document provides an orientation on Six Sigma. It defines Six Sigma and quality, discusses the evolution of quality approaches, and outlines key Six Sigma concepts like the DMAIC methodology and sigma levels. It traces the origin and growth of Six Sigma from Motorola to GE. Tools used in the Six Sigma approach like process mapping, control charts, and root cause analysis are also introduced.
Introduction to the Agile methods used at InfoJobs. Description of the Agile manifesto and principles. Overview of Scrum, kanban and scrumban as used at InfoJobs.
Valuendo 25 Things Not To Do (March 2009) HandoutMarc Vael
The document is a presentation by Marc Vael from Valuendo titled "25 tips & tricks" for an InfoSecurity 2009 conference in March. It discusses 25 common misconceptions about information security. Vael polls the audience on their level of agreement with statements and lessons related to how security is understood, budgets are determined, policies are followed, and risks are managed within organizations. The presentation aims to challenge assumptions and encourage best practices.
Issa Charlotte 2009 Patching Your UsersMike Murray
This document discusses how social engineering threats have replaced direct technical vulnerabilities as the main security risk, due to improvements in operating system security. It argues that traditional security awareness training does not effectively change user behavior because it is treated as mandatory training rather than persuasive marketing. The document advocates applying marketing principles to security awareness, including defining goals, measuring baseline user knowledge, developing an integrated marketing campaign using various communication channels, and re-measuring to evaluate impact and guide iterative improvement of the campaign. A case study example shows how these principles could be applied to a goal of improving password strength.
The document discusses auditing IT compliance and governance. It introduces CobIT, an IT governance framework that can be used to manage IT risks and compliance. CobIT provides over 300 control objectives that help ensure business objectives are met and undesired events are prevented or detected. The document outlines how CobIT can be used to design, implement, assess, and monitor an organization's IT compliance program.
Business is evolving, and IT governance frameworks like COBIT can help organizations adapt. COBIT provides a comprehensive framework for ensuring IT is properly governed and aligned with business needs. It addresses key areas like strategic alignment, value delivery, risk management, and resource management through establishing clear processes and controls. By implementing COBIT, organizations can improve transparency, accountability, compliance and overall IT performance.
The document provides an orientation on Six Sigma. It defines Six Sigma and quality, discusses the evolution of quality approaches, and outlines key Six Sigma concepts like the DMAIC methodology and sigma levels. It traces the origin and growth of Six Sigma from Motorola to GE. Tools used in the Six Sigma approach like process mapping, control charts, and root cause analysis are also introduced.
The document discusses cloud computing. It defines cloud computing as a pay-as-you-go model for using applications, development platforms, and IT infrastructure. It outlines some of the key domains in cloud computing including architecture, governance, compliance, security, and operations. It also discusses some of the key drivers and challenges of cloud computing. Finally, it discusses frameworks that can be used for assurance in the cloud such as COBIT, SOC reports, ISO27001, and others.
The document discusses threats and risks associated with cloud computing. It begins by defining cloud computing as a pay-as-you-go model for using applications, platforms, and infrastructure. It then outlines some key cloud security problems including lack of transparency from providers, data leakage and loss, insecure cloud software, and account hijacking. Finally, it provides 10 questions organizations should ask cloud providers to evaluate security, such as how identity and access is managed, where data will be located, and what security certifications the provider has.
ISACA Barcelona Chapter Congress - July 2011Ramsés Gallego
Non-IT presentation that delivers a message on the need of understanding the human factor, immortality through technology, the moment of NOW, building bridges, singularity,...
The first 46 slides are NOT relevant since the 'real' presentation starts in slide 47... This is one presentation to attend and cannot be followed just by seeing the slides...
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
This presentation was given at GRC Conference in Boston (October 2010) and explains the importance of measuring performance for real value. It goes into the world of metrics and balanced scorecards
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
The document discusses modern cyber threats and how to combat them. It was presented by an ISACA panel. The panel covered identifying current threats like web 2.0 attacks, targeted messages, botnets, rootkits and data/identity theft. Specific threats discussed included Koobface worm, which spreads on Facebook, and spear phishing attacks. The panel also reviewed the top 10 botnets responsible for spamming and their characteristics. The panel advised on utilizing tools, techniques and tactics to identify incidents and determine network vulnerabilities.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
El documento describe las funcionalidades de un sistema de gestión de servicios que ayuda a las organizaciones a mejorar la prestación de servicios de asistencia al usuario. El sistema permite automatizar tareas como la apertura y seguimiento de incidencias, ofrecer autoservicio a los usuarios, integrar herramientas de colaboración y conocimiento, y proporcionar métricas e informes que permiten mejorar los niveles de servicio.
The document discusses strategies for mitigating malware risks. It begins by defining malware and different types. It then notes that malware has become more sophisticated, economically motivated, and backed by organized crime. Traditional anti-virus solutions are becoming less effective against new attacks. The document proposes understanding malware risks and market values of stolen data. It provides an overview of common crimeware families and discusses spyware, how it infiltrates systems, and threats it poses to organizations. Finally, it describes how botnets are used to commit financial fraud and are adopting new techniques like peer-to-peer networks.
The document discusses data loss prevention (DLP) concepts and solutions. It notes that data is increasingly mobile and at risk of theft or loss, while regulations have increased around data protection. A holistic approach is needed to secure data across devices, locations, and applications. This involves classifying sensitive data, monitoring its movement, and implementing controls like encryption, device control, and DLP to block unauthorized transfer of information and gain full visibility and control over data usage and movement. A phased implementation approach is recommended to achieve complete data protection.
Risk is an inherent part of any business and it is impractical to eliminate all risk. There are different categories of risk including reputation risk and project management risk. Risk management aims to balance opportunities and losses through processes like risk assessment, treatment, communication, and monitoring and review. Key factors in risk analysis include asset valuation, value at risk, single loss expectancy, and annual loss expectancy. Effective risk communication requires established communication channels and linkage to incident response. Risk management is a continuous process that evolves over time.
Este documento describe la solución de Single Sign-On (SSO) de Entel para proporcionar acceso único y seguro a múltiples aplicaciones. El SSO de Entel permite iniciar sesión una sola vez y acceder a aplicaciones como ERP, correo electrónico y aplicaciones web de forma automática. Ofrece gestión centralizada de accesos, autenticación fuerte y flexibilidad en la implementación. Reduce costos y mejora la productividad y satisfacción del usuario.
Este documento trata sobre la seguridad de la información en el puesto de trabajo y la prevención de pérdida de datos. Discute las amenazas comunes como la pérdida o robo de dispositivos portátiles, el acceso no autorizado a información privilegiada y la fuga de información a través de correo electrónico o copiar y pegar. También cubre estrategias como la encriptación de datos, el control de dispositivos y la detección y prevención de pérdida de datos para proteger la información de manera flexible e independiente
Este documento presenta los servicios de seguridad y gestión de riesgos de Entel. Describe su visión y estrategia, incluyendo la gestión de amenazas, identidad y acceso, y seguridad. Explica su modelo de servicio gestionado que ofrece soluciones de seguridad como servicios outsourcados enfocados en la mitigación del riesgo. Finalmente, resume algunas referencias de proyectos de Entel en gestión de amenazas, identidad y seguridad.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
Industrial Tech SW: Category Renewal and CreationChristian Dahlen
Every industrial revolution has created a new set of categories and a new set of players.
Multiple new technologies have emerged, but Samsara and C3.ai are only two companies which have gone public so far.
Manufacturing startups constitute the largest pipeline share of unicorns and IPO candidates in the SF Bay Area, and software startups dominate in Germany.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This presentation is a curated compilation of PowerPoint diagrams and templates designed to illustrate 20 different digital transformation frameworks and models. These frameworks are based on recent industry trends and best practices, ensuring that the content remains relevant and up-to-date.
Key highlights include Microsoft's Digital Transformation Framework, which focuses on driving innovation and efficiency, and McKinsey's Ten Guiding Principles, which provide strategic insights for successful digital transformation. Additionally, Forrester's framework emphasizes enhancing customer experiences and modernizing IT infrastructure, while IDC's MaturityScape helps assess and develop organizational digital maturity. MIT's framework explores cutting-edge strategies for achieving digital success.
These materials are perfect for enhancing your business or classroom presentations, offering visual aids to supplement your insights. Please note that while comprehensive, these slides are intended as supplementary resources and may not be complete for standalone instructional purposes.
Frameworks/Models included:
Microsoft’s Digital Transformation Framework
McKinsey’s Ten Guiding Principles of Digital Transformation
Forrester’s Digital Transformation Framework
IDC’s Digital Transformation MaturityScape
MIT’s Digital Transformation Framework
Gartner’s Digital Transformation Framework
Accenture’s Digital Strategy & Enterprise Frameworks
Deloitte’s Digital Industrial Transformation Framework
Capgemini’s Digital Transformation Framework
PwC’s Digital Transformation Framework
Cisco’s Digital Transformation Framework
Cognizant’s Digital Transformation Framework
DXC Technology’s Digital Transformation Framework
The BCG Strategy Palette
McKinsey’s Digital Transformation Framework
Digital Transformation Compass
Four Levels of Digital Maturity
Design Thinking Framework
Business Model Canvas
Customer Journey Map
The document discusses cloud computing. It defines cloud computing as a pay-as-you-go model for using applications, development platforms, and IT infrastructure. It outlines some of the key domains in cloud computing including architecture, governance, compliance, security, and operations. It also discusses some of the key drivers and challenges of cloud computing. Finally, it discusses frameworks that can be used for assurance in the cloud such as COBIT, SOC reports, ISO27001, and others.
The document discusses threats and risks associated with cloud computing. It begins by defining cloud computing as a pay-as-you-go model for using applications, platforms, and infrastructure. It then outlines some key cloud security problems including lack of transparency from providers, data leakage and loss, insecure cloud software, and account hijacking. Finally, it provides 10 questions organizations should ask cloud providers to evaluate security, such as how identity and access is managed, where data will be located, and what security certifications the provider has.
ISACA Barcelona Chapter Congress - July 2011Ramsés Gallego
Non-IT presentation that delivers a message on the need of understanding the human factor, immortality through technology, the moment of NOW, building bridges, singularity,...
The first 46 slides are NOT relevant since the 'real' presentation starts in slide 47... This is one presentation to attend and cannot be followed just by seeing the slides...
This presentation was given at GRC Conference in Boston (October 2010) and explains the interesting triad of not only People, Process & Technology but also Culture, Structure & Strategy. Besides, it moves beyond the 'alignment' idea and goes deep into the 'synchronization' needs of today's companies
This presentation was given at GRC Conference in Boston (October 2010) and explains the importance of measuring performance for real value. It goes into the world of metrics and balanced scorecards
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
The document discusses modern cyber threats and how to combat them. It was presented by an ISACA panel. The panel covered identifying current threats like web 2.0 attacks, targeted messages, botnets, rootkits and data/identity theft. Specific threats discussed included Koobface worm, which spreads on Facebook, and spear phishing attacks. The panel also reviewed the top 10 botnets responsible for spamming and their characteristics. The panel advised on utilizing tools, techniques and tactics to identify incidents and determine network vulnerabilities.
From technology risk_to_enterprise_risk_the_new_frontierRamsés Gallego
This presentation was given at ISRM Conference in Las Vegas (September 2010) and shows the shift in perception from Technology Risk to Enterprise Risk and how businesses and TI need to embrace that new frontier
El documento describe las funcionalidades de un sistema de gestión de servicios que ayuda a las organizaciones a mejorar la prestación de servicios de asistencia al usuario. El sistema permite automatizar tareas como la apertura y seguimiento de incidencias, ofrecer autoservicio a los usuarios, integrar herramientas de colaboración y conocimiento, y proporcionar métricas e informes que permiten mejorar los niveles de servicio.
The document discusses strategies for mitigating malware risks. It begins by defining malware and different types. It then notes that malware has become more sophisticated, economically motivated, and backed by organized crime. Traditional anti-virus solutions are becoming less effective against new attacks. The document proposes understanding malware risks and market values of stolen data. It provides an overview of common crimeware families and discusses spyware, how it infiltrates systems, and threats it poses to organizations. Finally, it describes how botnets are used to commit financial fraud and are adopting new techniques like peer-to-peer networks.
The document discusses data loss prevention (DLP) concepts and solutions. It notes that data is increasingly mobile and at risk of theft or loss, while regulations have increased around data protection. A holistic approach is needed to secure data across devices, locations, and applications. This involves classifying sensitive data, monitoring its movement, and implementing controls like encryption, device control, and DLP to block unauthorized transfer of information and gain full visibility and control over data usage and movement. A phased implementation approach is recommended to achieve complete data protection.
Risk is an inherent part of any business and it is impractical to eliminate all risk. There are different categories of risk including reputation risk and project management risk. Risk management aims to balance opportunities and losses through processes like risk assessment, treatment, communication, and monitoring and review. Key factors in risk analysis include asset valuation, value at risk, single loss expectancy, and annual loss expectancy. Effective risk communication requires established communication channels and linkage to incident response. Risk management is a continuous process that evolves over time.
Este documento describe la solución de Single Sign-On (SSO) de Entel para proporcionar acceso único y seguro a múltiples aplicaciones. El SSO de Entel permite iniciar sesión una sola vez y acceder a aplicaciones como ERP, correo electrónico y aplicaciones web de forma automática. Ofrece gestión centralizada de accesos, autenticación fuerte y flexibilidad en la implementación. Reduce costos y mejora la productividad y satisfacción del usuario.
Este documento trata sobre la seguridad de la información en el puesto de trabajo y la prevención de pérdida de datos. Discute las amenazas comunes como la pérdida o robo de dispositivos portátiles, el acceso no autorizado a información privilegiada y la fuga de información a través de correo electrónico o copiar y pegar. También cubre estrategias como la encriptación de datos, el control de dispositivos y la detección y prevención de pérdida de datos para proteger la información de manera flexible e independiente
Este documento presenta los servicios de seguridad y gestión de riesgos de Entel. Describe su visión y estrategia, incluyendo la gestión de amenazas, identidad y acceso, y seguridad. Explica su modelo de servicio gestionado que ofrece soluciones de seguridad como servicios outsourcados enfocados en la mitigación del riesgo. Finalmente, resume algunas referencias de proyectos de Entel en gestión de amenazas, identidad y seguridad.
Navigating the world of forex trading can be challenging, especially for beginners. To help you make an informed decision, we have comprehensively compared the best forex brokers in India for 2024. This article, reviewed by Top Forex Brokers Review, will cover featured award winners, the best forex brokers, featured offers, the best copy trading platforms, the best forex brokers for beginners, the best MetaTrader brokers, and recently updated reviews. We will focus on FP Markets, Black Bull, EightCap, IC Markets, and Octa.
Industrial Tech SW: Category Renewal and CreationChristian Dahlen
Every industrial revolution has created a new set of categories and a new set of players.
Multiple new technologies have emerged, but Samsara and C3.ai are only two companies which have gone public so far.
Manufacturing startups constitute the largest pipeline share of unicorns and IPO candidates in the SF Bay Area, and software startups dominate in Germany.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
[To download this presentation, visit:
https://www.oeconsulting.com.sg/training-presentations]
This presentation is a curated compilation of PowerPoint diagrams and templates designed to illustrate 20 different digital transformation frameworks and models. These frameworks are based on recent industry trends and best practices, ensuring that the content remains relevant and up-to-date.
Key highlights include Microsoft's Digital Transformation Framework, which focuses on driving innovation and efficiency, and McKinsey's Ten Guiding Principles, which provide strategic insights for successful digital transformation. Additionally, Forrester's framework emphasizes enhancing customer experiences and modernizing IT infrastructure, while IDC's MaturityScape helps assess and develop organizational digital maturity. MIT's framework explores cutting-edge strategies for achieving digital success.
These materials are perfect for enhancing your business or classroom presentations, offering visual aids to supplement your insights. Please note that while comprehensive, these slides are intended as supplementary resources and may not be complete for standalone instructional purposes.
Frameworks/Models included:
Microsoft’s Digital Transformation Framework
McKinsey’s Ten Guiding Principles of Digital Transformation
Forrester’s Digital Transformation Framework
IDC’s Digital Transformation MaturityScape
MIT’s Digital Transformation Framework
Gartner’s Digital Transformation Framework
Accenture’s Digital Strategy & Enterprise Frameworks
Deloitte’s Digital Industrial Transformation Framework
Capgemini’s Digital Transformation Framework
PwC’s Digital Transformation Framework
Cisco’s Digital Transformation Framework
Cognizant’s Digital Transformation Framework
DXC Technology’s Digital Transformation Framework
The BCG Strategy Palette
McKinsey’s Digital Transformation Framework
Digital Transformation Compass
Four Levels of Digital Maturity
Design Thinking Framework
Business Model Canvas
Customer Journey Map
Digital Marketing with a Focus on Sustainabilitysssourabhsharma
Digital Marketing best practices including influencer marketing, content creators, and omnichannel marketing for Sustainable Brands at the Sustainable Cosmetics Summit 2024 in New York
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...my Pandit
Explore the fascinating world of the Gemini Zodiac Sign. Discover the unique personality traits, key dates, and horoscope insights of Gemini individuals. Learn how their sociable, communicative nature and boundless curiosity make them the dynamic explorers of the zodiac. Dive into the duality of the Gemini sign and understand their intellectual and adventurous spirit.
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...Aleksey Savkin
The Strategy Implementation System offers a structured approach to translating stakeholder needs into actionable strategies using high-level and low-level scorecards. It involves stakeholder analysis, strategy decomposition, adoption of strategic frameworks like Balanced Scorecard or OKR, and alignment of goals, initiatives, and KPIs.
Key Components:
- Stakeholder Analysis
- Strategy Decomposition
- Adoption of Business Frameworks
- Goal Setting
- Initiatives and Action Plans
- KPIs and Performance Metrics
- Learning and Adaptation
- Alignment and Cascading of Scorecards
Benefits:
- Systematic strategy formulation and execution.
- Framework flexibility and automation.
- Enhanced alignment and strategic focus across the organization.
How are Lilac French Bulldogs Beauty Charming the World and Capturing Hearts....Lacey Max
“After being the most listed dog breed in the United States for 31
years in a row, the Labrador Retriever has dropped to second place
in the American Kennel Club's annual survey of the country's most
popular canines. The French Bulldog is the new top dog in the
United States as of 2022. The stylish puppy has ascended the
rankings in rapid time despite having health concerns and limited
color choices.”
Call8328958814 satta matka Kalyan result satta guessing➑➌➋➑➒➎➑➑➊➍
Satta Matka Kalyan Main Mumbai Fastest Results
Satta Matka ❋ Sattamatka ❋ New Mumbai Ratan Satta Matka ❋ Fast Matka ❋ Milan Market ❋ Kalyan Matka Results ❋ Satta Game ❋ Matka Game ❋ Satta Matka ❋ Kalyan Satta Matka ❋ Mumbai Main ❋ Online Matka Results ❋ Satta Matka Tips ❋ Milan Chart ❋ Satta Matka Boss❋ New Star Day ❋ Satta King ❋ Live Satta Matka Results ❋ Satta Matka Company ❋ Indian Matka ❋ Satta Matka 143❋ Kalyan Night Matka..
The Genesis of BriansClub.cm Famous Dark WEb PlatformSabaaSudozai
BriansClub.cm, a famous platform on the dark web, has become one of the most infamous carding marketplaces, specializing in the sale of stolen credit card data.
Let’s have a look to today’s main points in the agenda. First of all we are going to see the power of metrics and how important they are to know what is happening in a company and how the enterprise is doing regarding bottom-line impact. Metrics are the indicators that tell not only management but also people on day-to-day operations how well they are performing to already established goals and business objectives. As we will see later, there is way (and a deep need, in my opinion) to align security management with the business.
We will also make a quick overview of what are CSFs, KGIs and KPIs and the intimate relationship between them.
As a security practitioner and consultant, I will give you some real examples of KPIs and how they integrate in a balanced scorecard and also talk about a real implementation of a security dashboard on a customer.
Finally, to wrap up, we will see the SMART side of metrics and a quick summary. Let’s go
Objectives need to be defined
The course in charted
Risks are identified, evaluated and managed
Resources and their criticality and sensitivity are determined
Objectives are:
Strategic alignment
Risk Management
Business process assurance
Value delivery
Resource Management
Performance measurement
It is said that you cannot manage what you cannot measure (and I fully agree with that vision) and my colleague Krag Brotby will later on the day do a presentation about it.
It has to be pointed out that normalization of data it is very useful since you have to be able to compare between departments and divisions but also with other industry peers. Normalization places all the measures on a similar footing by equalizing them across a common organizational base
Besides, metrics are rarely raw data but some derivative number (ratio, index, percentage or weighted average)
Critical to successful implementation of metrics is the understanding and acceptance that they take an important commitment and use in time and resources
Regarding IC, each organization needs to decide how important each attribute is for their business and this profile expresses the enterprise’s position and appetite for risk
CSFs were introduced by John F. Rockart in 1979 and are defined as elements that are vital for a strategy to be successful. In another level they could also be seen as important things for the process in this way: “what you need from others” and “what you can do yourself and deliver to others”
KGIs are a target to achieve, a measure of outcome
We are going to focus today in KPIs since they are the day-to-day metrics, the one being monitored constantly
In this context we need to remember that IT is a major enabler of the business and, therefore, KPIs are a measure of performance
As you can see in the graphic on the left, KGIs are just above generic IT goals and KPIs are next to IT processes showing their area or influence. Consequently, we could define KGIs as “lag” indicators while KPIs could be “lead” indicators. By the way, both measures could also be expressed negatively showing not having reached the goal or not performing well
KPIs have a cause-effect relationship with KGIs of the process
In summary, KGIs are business-driven while KPIs are process-oriented
I think that KGIs and KPIs do reflect organizational goals. Once a company has analyzed its mission, identified all its stakeholders and defined its goals, it needs a way to measure progress. KPIs are those measurements. Take into account that some analysts and consultants call KPIs also KSI (Key Success Indicators) but it is extremely more common the former acronym (with a P from performance) giving it a sense of direction and continuous monitoring.
Top-down approach
KPIs are quantifiable measurements, agreed to beforehand. However, I would like to deviate from the idea that there is a kind of negotiation with KGIs and KPIs. There should be an agreement but what really matters is the strategy and how a company is going to measure the achievement of the target. In the same way, scaling down to the IT or security department, there should be an agreement (again, not a biased negotiation) of what is needed and how security brings and adds value to the business (by preventing threats exploiting a vulnerability better than last month or year or some other measures that we are going to see in a moment).
This takes us to a whole new level of data visualization and integration: dashboards and balanced scorecards. Introduced by Robert Kaplan and David Norton in the early 90s, (1992 to be precise), balanced scorecards convert strategy into action by showing in a centralized single place all the metrics that executive management needs to take decisions. In fact, not only management but also operational teams and divisional managers are empowered by balanced scorecards since different views and information is provided depending on the role and profile of the viewer.
The definition of BSCs given by Mr. Kaplan and Mr. Norton is very interesting. Listen for the words: comprehensive view, performance, management tool. A BSC is a method and a management tool for ensuring enterprise’s activities in terms of its vision and strategies by giving managers a fast, comprehensive view of the performance of a business. It is here where we should introduce the 4 different perspectives of a balanced scorecard: financial, customer, internal process and learning/innovation.
Scorecards - Most strategic level of the business decision while dashboard work more in the operational side giving key users metrics of their area of influence
Level 0 - Non existent
Level 1 - Initial
Level 2 - Repeatable
Level 3 - Defined
Level 4 - Managed
Level 5 - Optimised
“Knowledge resides in the person, not in the data…it is the response and action to information that counts”
We built upon other disciplines like network management, asset management (CMDB) and storage management (backup & contigency plan) so as to provide a unique repository of information and began escalating in what we called “The road to management”
“You need to know what you have to be able to protect it”
3-layer architecture
We focused so much in showing a KPI regarding critical operations, which nodes out of 1453 where at risk and, consequently, which operations were being threatened. Remember, at this point the definition of what is risk: the potential that a given threat will exploit a vulnerability with an impact in an asset or group of assets
(meaning alignment with the business)
(since KPIs are “lead” indicators)
FOCUS