Aggregate
Edward Marchewka
Strategic Executive ? Cybersecurity & Risk Management ? IT Strategy, Digital Transformation, and Talent Development ? Driving Innovation in Non-Profit & Private Sectors ? Dissertation Chair & Adjunct Professor
I have written several articles with an emphasis on aggregation of metrics. Presenting tactical metrics will go over most peoples' heads or they simply don't need to know the tiny details that tactical metrics provide. Something that I have been asked to clarify is, how does aggregation relate to the business?
While having a discussion with a fellow information security practitioner we were saying that a dashboard is like a scoreboard. You have to understand the game and what each stat means to know that state of the game. However, the dashboard, like a scoreboard, shouldn't be so complicated that you can't watch the game which is where aggregation comes into play.
With that, here are two examples of using aggregation to relate aggregated results to the business using the C.H.I.C.A.GO. framework:
- Education
- Confidentiality - This area relates to protecting student data. A loss of confidentiality puts federal funding at risk due to a potential FERPA violation.
- Human Resources - This is all about productivity of people. Are they inconvenienced? Are they able to work? Can teachers deliver their lessons?
- Integrity - Reporting has to happen to ensure students are where they are supposed to be along with other student data. Also, state funding is related to reporting. A failure in this space puts additional funding at risk.
- Character/Reputation - A loss, usually related to another KRI, in this space results in a loss of confidence. In the education space, parents can move to private or charter schools. This also can result in having to deal with the press or lawsuits.
- Availability - Schools spend money on technology and it should be available. When public funds are used the public usually wants it used in the classroom. Nobody wants a call from the Mayor, trustee, or alderman asking about misappropriation or waste of funds.
- Gold/Finance - Educational institutions have to be mindful of their dollars and cents. Ensuring that money is spent wisely and not wasted on fines or preventable issues helps to keep this risk in check.
- Healthcare
- Confidentiality - This is about protecting patient and employee data. Loss of patient data is most likely a HIPAA violation which directly relates to fines and bad press.
- Human Resources - Here we are ensuring that doctors and staff are productive and can do their jobs of saving and enhancing lives.
- Integrity - Reporting in healthcare is incredibly important. Providing care is based on the patient records and history. A failure in this area can be catastrophic.
- Character/Reputation - When a healthcare organization cannot be trusted people can move on to another provider. It also introduces extra scrutiny by outside parties which can be expensive to respond to.
- Availability - Systems need to be up to provide care, from EMRs to connected MRI machines. We have seen in the press when healthcare falls victim to ransomware how quickly their operations can come to a halt.
- Gold/Finance - No one wants fines or unnecessary costs. Funds not spent on patient care and boosting capabilities are not well spent.
However you aggregate your results make sure they tie back to what the business cares about. A simple way to answer, what does the business care about, is these quick questions:
- What do we do and what do we need to do in order to do more?
- Who do we do it for?
- How do we do it?
- When do we do what we do?
- Why do we do what we do?
Through aggregation of the results we get the attention of the business by telling our story in terms that they understand. This helps get the results that you want to continue driving forward. From there, you can reverse the aggregation to know how to move forward tactically.