What key metrics should a CIO rely on to gauge the extent of IT risk exposure?

Question

Note - This was originally asked in another Area51 proposal, which has since been deleted.

Answer 1

From the ISACA CGEIT (Certificate in Governance of Enterprise IT) the key categories are:

1. Respond to business requirements in alignment with business strategy
2. Respond to governance requirements in line with board direction
3. Ensure satisfaction of end users with service offerings and service levels
4. Optimise the use of information
5. Create IT agility
6. Define how business functional and control requirements are translated in effective and efficient automated solutions
7. Acquire and maintain integrated and standardised application systems
8. Acquire and maintain an integrated and standardised IT infrastructure
9. Acquire and maintain IT skills that respond to IT strategy
10. Ensure mutual satisfaction of third party relationships
11. Ensure seamless integration of applications into business processes
12. Ensure transparency and understanding of IT cost, benefits, strategy, policies and service levels
13. Ensure proper use and performance of the applications and technology solutions
14. Account for and protect all IT assets
15. Optimise the IT infrastructure, resources and capabilities
16. Reduce solution and service delivery defects and rework
17. Protect the achievement of IT objectives
18. Establish clarity of business impact of risks to IT objectives and resources
19. Ensure that critical and confidential information is withheld from those who should not have access to it
20. Ensure that automated business transactions and information exchanges can be trusted
21. Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster
22. Ensure minimum business impact in the event of a IT service disruption or change
23. Make sure that IT services are available as required
24. Improve IT's cost efficiency and its contribution to business profitability
25. Deliver projects on time and on budget, meeting quality standards
26. Maintain the integrity of information and processing infrastructure
27. Ensure IT compliance with laws, regulations and contracts
28. Ensure that IT demonstrates cost efficient service quality, continuous improvement and readiness for future change

Interestingly, you will see that only nine of those are really to do with IT security, and of those, five are around resilience, so the CIO's view of risk is not the same as an IT security professional's.

So realistically, the stats required would be in reference to:

protecting assets - attacks detected on assets vs successful attacks access control - breaches of access control, failures to include users in policy etc trust of automated processes - audit flags, control failures Ensuring business continuity - successful testing of BC/DR plans Reduction of impact - cost analysis post attacks (successful or otherwise) Compliance - audit/regulator findings

Answer 2

• # of incidents per year, by type, in positive integers
• Time/resources needed to handle (investigate, clean up, analysis/review/post-mortem, etc) incidents, in number of man hours (each incident should have their own corresponding data)
• Coverage (as a percentage) across metastructure and infostructure in terms of forensics, log management, incident response process/program management, and incident handler training
• Quality of forensics, log management, incident response process/program management and incident handler training, by category (info/metastructure) and sub-category (e.g. per-app, per-BU, per-data-center, etc), as gauged by an external assessor (once per year, measured as some sort of scale that can be trended over time, probably 1 to 100 and grades but not like FISMA)