ID.IM-02.185

Does your organization collect and analyze security performance metrics to drive improvements to your cybersecurity program?

Explanation

This question assesses whether your organization has established a data-driven approach to security by measuring the effectiveness of security controls and using those insights to make informed improvements. Performance metrics might include mean time to detect/respond to incidents, vulnerability remediation times, security tool coverage, or false positive rates from security monitoring tools. Evidence could include dashboards or reports showing security metrics over time with trend analysis, documentation of program improvements made based on metric findings, or meeting minutes where security metrics were reviewed and acted upon by leadership.

Implementation Example

Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program

ID: ID.IM-02.185

Context

Function: ID: IDENTIFY
Category: ID.IM: Improvement
Sub-Category: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub