The majority of organizations don’t apply metrics to their cybersecurity efforts, and those that do often measure the wrong things. Here’s how to ensure your cybersecurity projects pay off. And even when organizations’ information security function does generate and deliver data about the business’ security, it typically never gets read.

To help security departments align with the business, the ISF has developed a four-phase, practical approach to developing KPIs and KRIs. The ISF’s approach was designed to be applied at all levels of an organization and consists of four phases:

• Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs
• Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
• Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
• Learn and improve by engaging to develop learning and improvement plans

Once you have the data, you need to generate insight from it. The ISF says reliable insights come from understanding KPIs and KRI. With the insights in hand, it’s time to create impact, ensuring that information is reported and presented in a way that is accepted and understood by all involved.