RSM Australia reports that organisations and senior leadership are becoming more involved in the management of cyber security risks because of the threat that’s posed to the business.
To diminish these risks, RSM says companies are making significant investments in all areas of security. These areas range from devices and appliances, right through to software and end-user security awareness training.
Michael Shatter, partner of Security & Privacy Services at RSM Australia, says for some, these activities and their costs become a material investment.
“However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments,” says Shatter.
“To really understand the value and success of the security measures and the respective investments, organisations should measure and report on agreed-upon metrics,” he explains.
Shatter explains that these metrics should communicate clearly to the board and management whether the cyber and information system security controls and processes are effective and are delivering value.
When developing security metrics RSM advises organisations to consider the following characteristics:
“Information security management is closely linked to an organisation’s risk management processes,” adds Shatter.
“Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place.”