Use Key Risk, Performance and Control Indicators to Diagnose IT Security Risks

Just like the annual physical, where doctors quickly determine a patient’s basic health status by measuring blood pressure, pulse and temperature, we can take the same approach in measuring fundamental aspects of security operations. To do so, we must deconstruct the vast amount of security statistics into normalized and categorized facts that form metadata describing aspects of security.  These can then be mathematically recombined into meaningful measures.

GreySpark enables IT and business managers to track key risk indicators, understand control and compliance effectiveness and measure overall security operations performance. Leveraging existing tools and sensors, GreySpark calculates clear metrics, thereby enabling the CISO to effectively communicate with business managers and gives analysts a definitive diagnostic path to underlying metric drivers.


Hi! We're Wistia. We provide business video hosting to attract, engage, and delight

Wistia video thumbnail - GreySpark Overview-HD

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


 The six key risk indicators that GreySpark measures are:

  • New Threats – What is new?  Operators will be practiced in managing known types of events.  New ones likely aren’t covered by an existing prescription, increasing their contribution to risk in the organization.
  • Defense Effectiveness – How often are we seeing the same event reoccurring, and are we simply treating the effect and not dealing with the cause?  Did the event occur on the firewall or on the end-point?  Recurring threats and vulnerabilities and those occurring deep inside the defenses indicate problems with the effectiveness of defenses.
  • Opportunity Risk  How bad, in aggregate, are the threat and vulnerability events?  Where in the organization are we seeing hot spots?  More serious threats and vulnerabilities are more likely to lead to compromise.
  • Technical Debt – How fast are things getting worse (or better)?  Taking into account the total volume, velocity, acceleration, and severity of events, this measure describes the workload aspect of current events and the direction things are heading.  Security technical debt creates unresolved issues that drive down performance indicators and up risk indicators.
  • Score History – Do I have enough data to be confident in the measure?  Computation of statistically significant performance and risk metrics requires consistent availability of data.
  • Surface Area  How many devices are participating in security events, and at what severity-levels.  Aspects such as network security blind spots, rogue networks, and concentrations of events drive key indicators.

GreySpark's key control indicator is:

  • Architectural Maturity – Do I have the controls I need? Are they effective?  How well do I cover my compliance AND security requirements?

GreySpark builds confidence in the overall performance of IT security operations by examining and monitoring key indicators and ultimately aiding decision makers in assigning priorities within a business context.