RSM Australia security and privacy services partner Michael Shatter said the growing investment in online infrastructure highlights its importance for the firms and clients of the future, however it’s just as vital that there are adequate metrics in place.
“For some organisations these activities and their associated costs become a material investment. However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments,” Mr Shatter said.
“To really understand the value and success of the security measures and the respective investments, organisations should measure and report on agreed-upon metrics. These metrics should communicate clearly to the board and management whether the cyber and information system security controls and processes are effective and are delivering value,” he explained.
Organisations should ensure metrics are understandable, accurate, and meaningful, with what’s being reported related to the work responsibilities of the security team, according to RSM.
RSM said that to have confidence in that reporting process, the metrics should be independently and reliably measured, reflecting the current processes in place.
“Information security management is closely linked to an organisation’s risk management processes. Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place,” Mr Shatter said.