GV.RM-01.013

Has your organization established measurable objectives for cybersecurity risk management?

Explanation

Measurable objectives provide concrete targets that enable an organization to track progress in managing cybersecurity risks. Examples include metrics for user training completion rates (e.g., 95% of employees complete security awareness training), incident response time targets (e.g., critical vulnerabilities remediated within 48 hours), or specific risk reduction goals for critical systems (e.g., reduce high-risk findings in industrial control systems by 50% year-over-year). Evidence of fulfillment could include a documented cybersecurity program with clearly defined key performance indicators (KPIs), risk management dashboards showing progress against objectives, or regular reports to leadership that track cybersecurity metrics against established targets.

Implementation Example

Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)

ID: GV.RM-01.013

Context

Function: GV: GOVERN
Category: GV.RM: Risk Management Strategy
Sub-Category: Risk management objectives are established and agreed to by organizational stakeholders

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub