Because, metrics can provide realistic and factual data. However, designing and implementing a metrics program for any GRC processes has been more challenging than designing and implementing the processes.
Benefits from Metrics program:
There are many but a few that are worth noting are
- It enables both IT and Business leadership with significant data points about risks, controls, gaps, mitigation efforts required, compliance, user awareness and so on.
- It helps to gain control over your risk & security posture. Whether good or bad you know for sure that you are very much in the know and that is the foremost thing any GRC leader strive for
- It helps you lay down a controlled roadmap for improving your risk & security posture
- Measuring controls performance helps measure ROI on security & GRC initiatives
- Most importantly, it can help predict, prioritize and perform your investments, something every business leader desires for.
Top pointers that need to be evaluated while designing a metrics program
- Keep it simple and avoid big bang approach
- Know what is to be measured, why it should be measured and how it should be measured
- Decide on data collection, analysis and reporting methods including securing them
- Because, metrics provide significant data points that need to be secured
- Organize resources for measurement including necessary sponsorship and collaboration required
- Collect, Analyze, Report and Improve measurement so that you can improve your overall risk & security posture
Remember, you can measure controls whether procedural or technological, processes as well as risks & gaps. Measuring risks are probably the most challenging as risks tend to be a composite of multiple factors that need to be rolled up for better visibility. So, it is important to be able to create a risk value chain so that rolling up makes sense for you.
Thiruvadinathan is a former Happiest Mind and this content was created and published during his tenure.
