Gathering metrics to measure the effectiveness of an
enterprise security strategy can be an imprecise task, but that's
no excuse for not trying,
John Meakin, group head of information security at Standard
Chartered Bank, told the recent RSA security conference in San Jose
that metrics are the only way to truly tell if enough money is
being spent on a company's security.
"Start using metrics to make security decisions, and don't get
too hung up on the quality of the data, or on complicated
methodologies," said Meakin. "Just start doing it."
Security experts have long advocated the use of metrics to get a
more measured view of IT operational risks and the controls
required to mitigate them. Organisations are under increasing
compliance pressure from legislation such as Sarbanes-Oxley to
demonstrate due diligence when protecting their data assets.
Metrics give companies a way to prioritise the threats and
vulnerabilities and the risks they pose to enterprise information
assets based on a quantitative or qualitative measure.
Adopting metrics can help companies target their IT security
resources far more effectively, said Meakin, whose company has been
moving to a risk-based approach to vulnerability management over
the past three years.
This approach has helped Standard Chartered target its security
resources much better. Three years ago, the bank was considering
encrypting all confidential traffic moving over one of its wide
area networks because of security concerns. But a metrics-based
risk assessment showed that such encryption was overkill.
Adopting metrics is clearly a good idea. But how many
organisations will ignore Meakin’s advice, and instead get
themselves hung up on data quality and methodology madness?