KPI’s For Measuring Compliance Effectiveness

Published September 20, 2018 by 5 min read

Back in the old days, like 1996, key performance indicators (KPIs) for compliance were easy. Annually, someone came into your organization, reviewed a set of documents within a specific time frame, and gave you a score. Similar to school, you knew from your grade on the test how well your compliance program measured up. Today, the rising costs and sophistication of data breaches mean information security compliance programs need to evolve to keep pace. Measuring compliance program effectiveness now requires tools to provide continuous insight into how well your controls protect your environment.

Key Performance Indicators For Compliance

What are KPIs?

Key performance indicators (KPIs) assist senior management with decision-making. In some cases, KPIs are qualitative, based on observations. In other cases, they’re quantitative, based on metrics. Both types of KPI provide useful information for decision-makers. However, increasingly, organizations need objective metrics that provide valuable data for their organizations.

If you live in a place where the speed limit is posted in miles per hour, but your speedometer shows kilometers per hour, you don’t have useful information to avoid a ticket. KPIs work the same way: you need to find the right tools to give you the measurements that match your business processes.

Why use KPIs for compliance?

Audits and questionnaires illuminate a single point in time. Traditional audits no longer provide assurance for cybersecurity because malicious attackers don’t just try to infiltrate your data environment once a year during a three-month period. They’re continually trying to gain access to your information. Additionally, vendor questionnaires require you to trust your business partners. Unfortunately, rising data breach costs mean that friendship and trust only go so far. You need to trust your third-party partners but also verify their controls independently.

How to use risk management establish KPIs

Your data security KPIs, however, can’t stand alone. Compliance begins with the risk management process, and that process begins by determining your objectives. You can’t measure effectiveness without baseline goals. To identify those goals, you need to start by asking some difficult questions.

Determine Organizational Objective

To establish your baseline corporate goals, you need to review where you are and where you want to be. No business wants to remain stagnant. To create appropriate compliance KPIs, you need to make sure that you’re thinking about the present but also looking to the future.

Different industries may require different KPIs. For example, a financial institution may need to think about customer access to money while a Software-as-a-Service provider may need to think about the different markets it enables. Some core questions to explore are:

  •   What are the cross-departmental objectives?
  •   What risk mitigation strategies strengthen profitability by enhancing business performance?
  •   What unexpected events reduce operational efficiency?
  •   What potential revenue streams do you want to tap into?
  •   What are the risks facing those?
  •   How likely are you to face those new risks?

Assess the Risks

All measurements begin with a baseline. No matter what you measure, you need to have a starting point. If you’re trying to track how many miles you drove, you need to know what your mileage was at the start of the trip. The risk assessment helps you determine your starting baseline. Ask yourself:

  •   What are my information assets?
  •   Where are my assets located?
  •   Who accesses my information assets?
  •   What protections am I using to protect these assets?
  •   What is the likelihood the protections will fail?
  •   What assets are most important to my business objectives?
  •   What assets are more critical to hackers?
  •   What types of risk (strategic, reputation, financial) does the information pose?

What are some KPIs my compliance officer can use?

Outside of the information security arena, cybersecurity performance seems intangible. Technical jargon disguises the simple premise that information security KPIs are substantially similar to other types of metrics. They focus on time, money, and value. Translating KPIs from technical to business language enables better compliance decisions. Finding the right metrics to identify compliance issues may include:

  • Mean Time Between Failure (MTBF): How many days has it been since you had a system failure? If you have a long time between system failures, it indicates that you’re keeping your systems healthy.
  • Percent Difference in MBTF: Do some systems experience more failures than others on a month-to-month basis? If some systems fail more often, you might have weaknesses that need remediation.
  • Mean Time to Repair (MTTR): How many hours, on average, does it take to fix a problem and get you back to normal again? If it takes a long time to repair a problem, you might need to review staffing and resources.
  • Percent Different in MTTR: As a percentage, are you speeding up the time it takes to get up and running again? If you’re getting back to normal again faster than before, you can show that you fixed problems you detected earlier.
  • System Availability: Divide the number of minutes that all your systems were available to everyone by the number of minutes they should have been available. If systems were unavailable when they should have been accessible, you might have a data accessibility issue that needs remediation.
  • Percentage of Downtime Due to Scheduled Activities: Divide the number minutes your IT function spent on planned system maintenance by the total number of minutes in the chosen time frame. If your IT team is spending a lot of time on planned maintenance, you might need to look at the age of your infrastructure or consider whether particular vendor threats are putting you at risk.
  • Percentage of Scheduled Maintenance Activities Missed: Divide the number of devices that were not serviced in a given period by the total number of scheduled services. If your IT department isn’t servicing all the devices they’re supposed to, your employees may need more compliance training to remind them to make the devices available, or you might need more IT staffing to meet demand.
  • Percentage of Critical Systems without Up-to-Date Patches: Divide the number of critical systems without recent updates by the total number of critical system devices and systems. If you have a high percentage of critical systems missing patches, then you might be at risk for a common vulnerability attack and be at risk of non-compliance.
  •  Percentage of Network Devices Not Meeting Configuration Standards: Divide the number of network devices (such as modems, routers, switches) that aren’t configured according to your policy by the total number of devices. If you have a high percentage of network devices configured incorrectly, it might indicate that they are vulnerable to attack and not in compliance.

How ZenGRC Streamlines Your Compliance Program

Auditing IT security requires vast amounts of documentation. SaaS tools, like ZenGRC, speed the process of aggregating information. They also help stakeholders communicate better. When multiple areas of an organization are creating and attempting to implement their own controls, security audit documentation becomes unwieldy and time-consuming to compile.

ZenGRC simplifies the IT audit process, beginning with its risk assessment modules. ZenGRC offers risk assessment modules that give insight into both vendor risk and company risk. The Risk Trend and Risk Responsibility graphics provide easy-to-digest, color-coded visuals that provide management a view of the company’s current risk.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo