Gathering metrics to measure the effectiveness of an enterprise security strategy can be an imprecise task, but that's no excuse for not trying,
John Meakin, group head of information security at Standard Chartered Bank, told the recent RSA security conference in San Jose that metrics are the only way to truly tell if enough money is being spent on a company's security.
"Start using metrics to make security decisions, and don't get too hung up on the quality of the data, or on complicated methodologies," said Meakin. "Just start doing it."
Security experts have long advocated the use of metrics to get a more measured view of IT operational risks and the controls required to mitigate them. Organisations are under increasing compliance pressure from legislation such as Sarbanes-Oxley to demonstrate due diligence when protecting their data assets. Metrics give companies a way to prioritise the threats and vulnerabilities and the risks they pose to enterprise information assets based on a quantitative or qualitative measure.
Adopting metrics can help companies target their IT security resources far more effectively, said Meakin, whose company has been moving to a risk-based approach to vulnerability management over the past three years.
This approach has helped Standard Chartered target its security resources much better. Three years ago, the bank was considering encrypting all confidential traffic moving over one of its wide area networks because of security concerns. But a metrics-based risk assessment showed that such encryption was overkill.
Adopting metrics is clearly a good idea. But how many organisations will ignore Meakin’s advice, and instead get themselves hung up on data quality and methodology madness?