I’ve long preached about the importance of visibility and metrics in security. Unless you have line of sight of the security threats, vulnerabilities and incidents that are actually impacting your organisation, you can’t possibly tackle them effectively. And unless you can measure how effective your interventions are, you won’t be able to build efficient processes. And you might not even be able to justify your own existence. As the legendary Donn B. Parker (of SRI International) advised me back in 1989 when I’d just joined the Royal Dutch/Shell Group, “David you need to set up your own intelligence service”. That was perhaps the most useful advice I ever received on how to manage security across a large, diverse organisation. And I’ve spent many years trying to achieve this using human-based intelligence networks and reporting systems. But traditional manual methods are not as reliable as we’d like. They’re often based on no more than hearsay, tip-offs and anecdotal evidence. Fortunately that’s all changing. There are now some excellent discovery tools appearing in the marketplace. Practical tools that enable organisations to view and manage the security exposure of our organisations in real-time. That’s why I’m forecasting that over the next 18 months we will witness a revolution in the maturity of our security processes, driven by a new, unprecedented capability to view, filter, measure and archive just about everything that’s happening across our networks.
Of course none of these tools are any use to an organisation without first establishing the methodology needed to set targets, prioritise activities and process the results. Security metrics are the key to this. Metrics are fundamental to achieving the higher levels of process maturity (in the Carnegie Mellon sense). They can help formulate objectives, prioritise security actions and confirm success or failure. But just how should an organisation go about selecting the right metrics? How can it ensure that the selected measures are correctly aligned with business objectives and IT strategy? These are difficult questions with important consequences. Making the right choices of metric can have a tremendous impact on the future effectiveness of your security function. So think very carefully before presenting your new security targets to the Board. And if you need a helpful hand then you could do worse than read my recent white paper on this subject “Top 10 Tangible Measures for Effective Security Risk Management” published by nCircle, an innovative supplier of professional vulnerability and risk management tools and services.