ABSTRACT
STEP 6 – Measuring Strategic Plan Performance and End of Year (EOY) Tasks discusses methods of assesses strategic plan performance such as critical success factors, strategy alignment with corporate values and other strategies, initiative progress, assessment results, risk mitigation, Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). The chapter presents examples of KRIs and KPIs as well as reports and graphics that can be prepared for senior management such as:
Cybersecurity and Cyber Resilience Initiatives Mapped to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) subcategories
Cybersecurity Initiatives NOT mapped to the NIST CSF subcategories and why
Initiative to CSF mapping per objective
Strategic Plan Progress Reports – Cybersecurity and Cyber Resiliency
Current State to End of Year (EoY) and Target State tier rating
The Cybersecurity and Cyber Resiliency Strategy Yearly Report, which is combined of four reports:
Strategic Objective Completion
Business Unit (BU) Quarterly Risk Mitigation
Cybersecurity Initiative Progress
Cyber Resiliency Initiative Progress
The chapter identifies all input types contributing to next year's “new initiatives analysis”:
Threats/Vulnerabilities
Risk Assessments
KRI and KPI Analyses
NIST CSF Target State Gaps
It discusses all of the EoY tasks for the Steering Committee such as:
Ensure compliance with regulations
Prepare the EoY Strategy Performance Measurement Statistics (e.g., KRIs, KPIs, Cyber Assessment and Program gaps, initiative progress)
Complete the Yearly Strategy Progress Report
Distribute EoY reports to senior management
Create any additional Strategy Performance Reports
Establish objectives for the following year
Start process for determining new initiatives for the following year
Confirm Steering Group Committee member composition going forward
Determine corporate Governance requirements, and create a swimlane to illustrate the Governance critical approval path
The Cybersecurity and Cyber Resiliency Life cycle diagram is presented again to accentuate that the Strategy is a living document and together with all the tools presented in this book can continue to guide your enterprise's cybersecurity and cyber resiliency program from a risk-based perspective for many years.