Intellitactics announced the results of a recent survey of top information security and IT decision-makers regarding the use of business-driven metrics for measuring security effectiveness and value. The survey, conducted by San Antonio, Texas-based Frost & Sullivan using an online instrument during February 2006, polled over 80 senior executives on their interest in measuring security value, the use of metrics to quantify security effectiveness, and current practices for generating and communicating with metrics.

Key survey findings emphasize that the ability to measure value requires a centralized reporting capability, presentation of information in context, and automated processes for dynamically generating the metrics.

Centralized Reporting Capability and Metrics. To accurately portray the security posture of the organization, it is essential to have a centralized repository of information that can be used to compute metrics. Results show that 89.5 percent of the organizations surveyed use metrics to describe the current security posture. Almost half, 46 percent, use metrics to measure security value, with 42.5 percent planning to take action within the year. About 60 percent of those already taking steps to measure security performance do so to justify spending; and almost 80 percent reported that demonstrating IT security effectiveness to other functional managers helps IT to justify action and budgets.

Information Without Context Provides Little Value. Without context, technical reports on alerts and incidents aren't effective performance indicators. Conversely, both comparative and trend metrics are valuable in assessing or measuring the effectiveness of security programs and technology. More than 50 percent of companies surveyed realize the importance of trending - the ability to show improvement over time, and over two-thirds of respondents have either implemented or plan to implement forms of trending data within the coming year.

Effective Communication. Metrics need to be presented in a context that makes the information relevant and usable for making decision and understanding actions. The overall look of the instrument and the frequency of distribution has an impact on the receivers' perception of the usefulness of the measurement. Survey results show that 25 percent of executives are dissatisfied with the value they get from their current reports. Fifty-two percent of respondents are still delivering reports on paper, with a slightly larger percentage, 56 percent, sharing reports via email.

To help companies achieve success in using business-driven metrics to measure security value, Intellitactics offers these guidelines.

  • Identify all stakeholders and involve as many constituents as possible early in the metric development process.
  • Begin with the organization's business goals and identify measures that link security strategy with business objectives.
  • Use the SMART technique to develop metrics that are Specific, Measurable, Actionable, Relevant, and Timely.
  • For each metric, assign an owner who is accountable for the performance of the metric.
  • Consider staffing a IT security position responsible for metrics.
  • Establish a centralized data repository for data collection.
  • Implement security information and event management to automate the production, consolidation and analysis of metrics.
  • Use dashboard technology to quickly and dynamically present metrics and security measures to stakeholders.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access