ITIL Security KPI – This is a hard topic to nail down because ITIL, by its very nature is non prescriptive, that is it stays at a high level and deliberately does not say “now you must do this activity this way etc”.
What it does is give you guidelines that if you follow you will be providing the right amount of information to the other processes and to your business managers. ITIL Security KPI-should they be prescriptive? Having said that, some of the other frameworks are far more prescriptive and detail specific KPI’s that must be measured.
This can also be their downfall because, although they may give a significant amount of detail, they can also be providing too much detail.
Why is that, you say? Because there is a cost in providing that detail in time and resources.
If there is no real business benefit to provide that detail you shouldn’t be wasting that time and those resources. ITIL Security KPI-some possible KPI’s Here are a number of KPI’s if I were measuring Security Management performance I might use: Reduced number of security-related service calls, change requests and fixes Amount of downtime caused by security incidents Reduced turnaround time for security administration requests Number of systems subject to an intrusion detection process Number of systems with active monitoring capabilities Reduced time to investigate security incidents Time lag between detection, reporting and acting upon security incidents Number of IT security awareness training days ITIL Security KPI-A final word The funny thing is, with the more prescriptive models, if you were having an audit done your organization could fail for not measuring these and yet there may not be a benefit for the organization.
This is what makes ITIL, used correctly so powerful!
Read more about ITIL : ITIL Security KPI This is a hard topic to nail….: