IT Pros Better at Tracking Cybersecurity KPIs

More than ever, provider and payer organisations recognise the benefits of analytics and data visualisation, and have honed their skills in collecting and reporting a slew of metrics and KPIs to keep tabs on their clinical, financial, and operational health.

As Omar Khawaja, chief information security officer of Highmark Health, will explain next week at the HIMSS Healthcare Cybersecurity Forum, it’s equally crucial when implementing and developing effective cybersecurity programmes. Measurement, on the other hand, has its limitations. And far too many firms track KPIs in a haphazard or unnecessary manner.

Instead, “it’s incredibly crucial to actually establish who it’s for, and how they truly plan to use the data” for each measure, he said. In around 70% of all reports, no one looks at them. You must first determine who your target audience is and then cater to them properly. From intrusion attempts and unidentified devices to patching frequency and 3rd-party vendor credibility, there are a plethora of indicators that may be tracked. Of course, KPIs such as mean time to detection and resolution of security issues should be monitored.

To ensure that all essential metrics are collated and disseminated to the parties who need to know them, Khawaja use the MECE measure – “mutually exclusive, collectively exhaustive.” Khwaja will also speak at the Cybersecurity Forum about how to improve data visualisation and dashboard presentation, as well as how to turn data into action. When it comes to motivating meaningful changes from such indicators, Khawaja recommends gamification. “People appreciate gamification because it produces genuine results.”