Security Metrics

I’m in the process of putting together some useful security metrics to report up to the senior management of my organisation. This is one area of the industry that, in my opinion, is sorely lacking in good, detailed guidance, on what to report and how to report it.

One of the better references I’ve used to help me is a paper entitled “Top 10 Tangible Measures for Effective Information Risk Management” by David Lacey. David makes the point that “Identifying appropriate metrics ideally requires a consideration of the organization’s business goals, strategies and compliance requirements, and the measures that could be used to prioritize activities and help prevent incidents.” The message is that the right metrics are unique to a business and the paper offers some some good advice on how to get inspiration for what to report within your own.

According to the latest research from Forrester “the majority of security metrics programs are still in their infancy or planning phases.” One of the more useful points of guidance I liked from a paper entitled “Defining An Effective Security Metrics Program” by Khalid Kark and Paul Stamp (published May 2007) is this: “You can measure the time it takes to implement a particular patch to a critical system. This information by itself will not help you analyze anything. Alternatively, if you measure the mean time it takes to patch all critical systems in your environment and then trend this information over time, the results can be used for analysis to determine whether your patch management processes are getting more efficient.” The same paper goes on to define seven steps to a successful metrics program. They make it sound simple, like the seven steps to buttering a slice of toast – however, getting past step one “Make measurements and metrics a key part of your security program” (and not, “remove lid from butter”) can be a challenge on its own, requiring you to develop a security measurement capability.

I also liked the words of wisdom on the subject from Bruce Schneier. He makes the point that “getting attention (and budget) from top executives such as risk managers, CFOs, and CEOs, means creating metrics that help measure the value of the security effort.” I agree and that’s why my own metrics program will be focusing on those systems that directly link to business strategy.

Lastly for now, for those of you working on application security, OWASP have an Application Security Metrics project underway and currently in its early stages.

More on this subject to come…