Exam CISM topic 1 question 190 discussion

B. key performance indicators (KPIs). Continuously monitoring an organization's cybersecurity posture effectively is best done by evaluating its key performance indicators (KPIs). KPIs are a set of quantifiable measurements that organizations use to track and evaluate their performance against specific goals or objectives. They can be used to measure various aspects of an organization's cybersecurity posture, such as its ability to detect and respond to threats, the effectiveness of its security controls, and its overall security risk profile. By regularly monitoring and evaluating these KPIs, organizations can identify areas where they need to improve and make adjustments to their cybersecurity strategies accordingly. While compliance with industry regulations, level of support from senior management and timeliness in responding to attacks are important aspects of cybersecurity, Key performance indicators (KPIs) give a more holistic view of the organization cybersecurity posture and help the organization to track progress over time.

You cannot predict posture bases on KPIs. Posture is about what you do with the KPIs. Timeliness give an indication of the posture.

B would be more effective to "continuously monitor" an organization posture. D just pertains to responding to incidents and not the organization posture.

Key performance indicators (KPIs).

Establish, monitor, evaluate and report key information security metrics to provide management with accurate and meaningful information regarding the effectiveness of the information security strategy. , key performance indicators

B is right

KPI for continuous monitoring and improvement

KPIs is the answer.

B. key performance indicators (KPIs).

B. key performance indicators (KPIs). Key performance indicators (KPIs) are metrics or measurable indicators that provide insights into the organization's cybersecurity posture and performance. By establishing and monitoring relevant KPIs, an organization can assess its security controls, identify trends, measure the effectiveness of security measures, and detect any potential vulnerabilities or weaknesses. KPIs can include metrics such as the number of security incidents, response times to incidents, percentage of systems patched and updated, successful phishing attempts, employee security awareness training completion rates, and other relevant indicators. These metrics provide a quantitative and objective view of the organization's security posture, allowing for ongoing monitoring, analysis, and adjustment of security measures.

KPIs are measurable values that demonstrate how effectively an organization is achieving its cybersecurity goals and objectives. By monitoring KPIs regularly, organizations can quickly identify potential cybersecurity issues and take proactive steps to address them. Examples of cybersecurity KPIs include the number of incidents detected, incident response time, and effectiveness of security controls.

A is correct

Effectiveness -> metrics, i.e. KPIs.

Correct me if I am wrong, the answer should be B. What are your thoughts?