KPI and KRI Data Report for Board Review
Question
The Chief Information Officer (CIO) has been asked to develop a security dashboard with the relevant metrics.
The board of directors will use the dashboard to monitor and track the overall security posture of the organization.
The CIO produces a basic report containing both KPI and KRI data in two separate sections for the board to review.
Which of the following BEST meets the needs of the board?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.A.
In this scenario, the Chief Information Officer (CIO) has been asked to develop a security dashboard with relevant metrics for the board of directors to monitor and track the overall security posture of the organization. The CIO produces a basic report containing both Key Performance Indicators (KPI) and Key Risk Indicators (KRI) data in two separate sections for the board to review.
The best answer is option C. This option meets the needs of the board because it provides a balanced set of KPI and KRI data that gives a comprehensive overview of the organization's security posture.
KRI stands for Key Risk Indicators, which are used to monitor the likelihood of potential risks and their potential impact. KPI stands for Key Performance Indicators, which are used to measure the performance and progress towards achieving goals.
In option C, the KRI section includes EDR coverage across the fleet, % of suppliers with approved security control framework, backlog of unresolved security investigations, and threat landscape rating. EDR coverage across the fleet and % of suppliers with approved security control framework are good KRI data because they measure the potential impact of risks. Backlog of unresolved security investigations and threat landscape rating are also good KRI data because they measure the likelihood of risks.
The KPI section includes time to resolve open security items, compliance with regulations, time to patch critical issues on a monthly basis, and severity of threats and vulnerabilities reported by sensors. Time to resolve open security items and time to patch critical issues on a monthly basis are good KPI data because they measure the organization's performance. Compliance with regulations and severity of threats and vulnerabilities reported by sensors are also good KPI data because they measure the progress towards achieving security goals.
Option A is not the best answer because the KPI section includes EDR coverage across the fleet, which is a KRI data, and the KRI section includes severity of threats and vulnerabilities reported by sensors, which is a KPI data.
Option B is not the best answer because the KPI section includes compliance with regulations, which is a KRI data, and the KRI section includes time to patch critical issues on a monthly basis, which is a KPI data.
Option D is not the best answer because the KPI section includes severity of threats and vulnerabilities reported by sensors, which is a KRI data, and the KRI section includes time to patch critical issues on a monthly basis, which is a KPI data.
