Explaining the WHY of good Key Risk Indicators: Do you know what yours are?

Not all risks are threats. Some are opportunities! In Cyber Security, the mission is Risk Mitigation. By knowing and understanding what your Key Risk Indicators (KRIs) are, you can properly prioritize your resources and time allocations. If you have somehow ended up with 1000 KRIs, all you really have is a whole lot of metrics to sort through! At that point, you’re not measuring anything (although you think you are). 

KRIs are extremely valuable. They get you to think about the potential of things that could happen under certain circumstances or as a result of an unfortunate event. You otherwise might not have had the chance to think about those things before. KRIs show you what you need to pay close attention to and what you can confidently send to the "back burner". Good KRIs allow you to make the most of your newly-found opportunities and get ahead of risks! What gets better than that? Well, KRIs help you get a good head start on a data-driven budget allocation plan to address those pesky ever-changing security priorities!

Some organizations struggle to understand that the security controls they have in-place may not provide the adequate level protection needed against advanced cyber-attacks (or even the less advanced cyber-attacks). The latest high-profile enterprise breaches are a clear example that Cyber-Risk Management needs a reasonable amount of attention and will soon be at the center stage. By far, KRIs are the perfect way to communicate with Senior Executives, Business Units and a diverse workforce full of tekkies and non-tekkies about the importance of paying attention to Key risks. At the same time you’re increasing your organization’s Cyber Security Awareness level! Now, off you go to develop your KRIs, report on them and modify them accordingly. Continuous Improvement is just around the corner!