Cybersecurity Metrics Reporting Model

The ComplianceForge Cybersecurity Metrics Reporting Model™ (CMRM) takes a practical view towards implementing a sustainable metrics reporting capability. At the end of the day, executive management (e.g., CIO, CEO, Board of Directors (BoD), etc.) want an answer to a relatively-straightforward question: “Are we secure?” In order for a CISO to honestly provide an answer, it requires a way for the CISO to measure and quantify an “apples and oranges” landscape where processes and technologies lack both uniform risk weighting and abilities to capture metrics. The SMRM helps solve this aspect of dissimilarity by utilizing a weighted approach to metrics that generate Key Performance Indexes (KPXs) as a way to logically-organize and report individual metrics. Using KPX enables the SMRM to provide a reasonable and defendable answer.

complianceforge cybersecurity metrics analytics

The “Are we secure?” question is best answered as a numerical score. This quantifiable score is used to visualize the score against a numerical spectrum to provides context, based on the risk profile of the organization. The numerical score would land between “not secure” and “secure” on the spectrum, according to a baseline score definition that would be specific to the organization. This can provide long-term trending to evaluate the direct impact of certain security initiatives. The SMRM can be automated in a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform, but it comes as a Microsoft Excel spreadsheet as part of ComplianceForge’s Digital Security Program (DSP). The “Are we secure?” question can be both tracked to display trending and drilled down into KPXs, or individual metrics, to identify why the score changed.

complianceforge cybersecurity metrics template 

Key Performance Index (KPX) is essentially a term that we use to normalize the various metrics in each category. One area of contention with metrics is defining what a KPI or KRI is since people tend to butcher the terminology. Our approach to defining those terms are shown below:

Key Performance Indexes (KPXs)
KPXs are logical groupings of KPIs that allow an organization to monitor an index of metrics about a specific capability or team.

KPIs and KRIs are not hierarchical metrics, but are individual metrics that are deemed important to monitor, based on the specific risk or value associated with that metric:

Key Performance Indicators (KPIs)

Key Risk Indicators (KRIs)

The metrics shown in this model are included in the ComplianceForge Digital Security Program (DSP) product. Being transparent on the subject, the entire point of a "canned solution" for metrics is to provide a starting point where someone else does the heavy lifting for you to get to a 70-80% solution that someone within your organization can then run with to customize for your specific needs. This is where ComplianceForge is a business accelerator - we enable you to hit the ground running with your cybersecurity documentation that can takes months or years to create on your own. The "heavy lifting" of the equation is what we provide, not the finalized metrics product. That is really where the demarcation is between what ComplianceForge offers for metrics and how an organization would customize the remaining since you have the organization-specific knowledge side of the metrics equation that cannot be templatized.

ComplianceForge does not sell the SMRM, KPIs, KRIs on their own, since the metrics are part of the DSP solution. With the 1-1 mapping relationship between the DSP and the Secure Controls Framework (SCF), the DSP can help operationalize the SCF controls in a meaningful and efficient manner, so that is something to consider for organizations that want to fully adopt the SCF as its control structure and maximize its effectiveness.

We are happy to discuss our products. Please feel free to contact us with your questions. 

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST SP 800-171 & CMMC Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. NIST 800-171 Rev 3...

    Choose Options

Learn More About Cybersecurity & Data Privacy