Lesson 4 of 9
In Progress

Persona Driven Dashboards

Board

Board is interested in seeing how the operational metrics reflect all the way up at the strategic level to focus on key measures. These measures are very few at the board level and usually restricted to the following:

  • Mean Time To Respond (MTTR) refers to the average time it takes to recover from a product or a system failure from the time when you are first alerted to that failure.
  • This is a hard one to quantify but if done properly can be a very effective measure to share at the board level.

Executive Management

Executive management needs to understand their company’s strengths and weaknesses. Knowing exactly where the company can bolster its forces when it comes to cybersecurity can help your company make strides forward to improve its security and thus its trust within the marketplace.

  • The percentage of all inventoried software that is regularly and consistently evaluated for vulnerabilities and associated risk.
  • The average time your recovery plan will take to address breaches.
  • Percentage increase or decrease in overall incident numbers.
  • The percentage of all systems utilizing data encryption.
  • The number of data breach notifications documented.

Middle Management

The aim of the middle management is to ensure that their region and the business unit they are responsible for stay secure. They benefit from insights into some aggregated operational metrics.

  • Key regional threat their organisation is exposed to.
  • The percentage of all inventoried software that is regularly and consistently evaluated for vulnerabilities and associated risk.
  • The average time your recovery plan will take to address breaches.
  • Percentage increase or decrease in overall incident numbers.
  • The percentage of all systems utilizing data encryption.
  • The number of data breach notifications documented.

Operational Management

Operational management benefits from insight into the overall health of the Security Operations organisation and track on daily and weekly steady state operations. Following are a few examples:

  1. Incident Metrics provide insights into the KPIs around the incident handling:
    • Source of Incidents Created: Defines the sources of incident detection or reporting.
    • Time Duration Event Detected and Record Created: Reflects the time between when the event was detected in SIEM and when the Incident record was created.
    • Incident % False Positive: Displays the percentage of incidents recorded that were identified as False Positives later on.
    • Time Duration between Incident Acknowledged and Incident Contained: The time between when the incident was acknowledged by the Member Firm and its containment. (Apply for P2 and P1 – Member Firms are not expected to report on P3 and P4).
    • Incident % Escalated from L1 to L2: The percentage of incidents escalated from L1 to L2 within the KPMG GSOC distributed by week.
    • Incidents Created & Closed
    • Incident % Escalated from L2 to L3: The percentage of incidents escalated from L2 to L3 within the KPMG GSOC distributed by week.
    • Incident % handled purely at L1: The percentage of incidents handled at L1.
    • Incident Count by Member Firm: Distribution of Incidents laid out by member firm on weekly basis.
  2. Categorization and Classification Metrics: L1 and L2 analysts will have to take time to record the following metrics against each incident.
    • Actors-Origin: Defines the geographic distribution of the attack as per the VERIS classification of the incident.
    • Actors-Motive: Defines the motive behind the attacks as per the VERIS classification of the incident.
    • Actions-Vector: Defines the vector of the attack as per the VERIS classification of the incident.
    • Actions-Malware.Variety: Defines the distribution of the variety of malware used as per the VERIS classification of the incident.
    • Actions-Hacking.Variety: Defines the distribution of the type of hacking attack used as per the VERIS classification.
    • Asset-Management: Defines the distribution of the asset management (asset managed by which part of the business or a third party) as per the VERIS classification of the incident.
    • Attributes: Variety: Defines the distribution of the incidents by the platform per the VERIS classification.
  3. Performance Metrics
    • Incidents Remediated Count by Analyst ID: Insight into the efficiency and workload of Analysts