The need for tools to help IT managers assess the effectiveness of their security investments has fuelled another effort to develop worthwhile performance measurement metrics.
The latest organisation to try is a new group called the Security Compliance Council. It has announced plans to create standard measures to assess and benchmark information security performance.
The group, whose founding members include Houston security company BindView, the Computer Security Institute in San Francisco and The Institute of Internal Auditors (IIA), a 100,000-member association in Florida, wants to develop research and survey-based IT security guidelines to help companies figure out what they need to do and how they are faring.
IT managers are usually sceptical as to whether these tools can really be effective. Success usually depends on the quality of the information available, and most people are reluctant to share detailed security information.
Meanwhile, there are variations in the way companies implement and manage security technologies and measure incidents, so adopting someone else's definition of best practice might not always be the right solution. The phrase, “One man's meat is another man's poison”, springs to mind.