Qualys security metrics project focuses on continuous monitoring

A security industry initiative to collect metrics to help effect change is currently focusing on continuous monitoring

A security industry initiative to collect useful metrics to effect positive change is currently focusing on continuous monitoring.

The metrics project was set up by Qualys in October 2013 as part of the Trustworthy Internet Movement (TIM) established and funded by Qualys chief executive Philippe Courtot in 2012.

TIM aims to tap the power of the global security community to advance industry-wide technology innovations and initiatives for actionable change.

In line with those aims, the security metrics project invites organisations to contribute easily-understandable security metrics that security practitioners can use to present to the business.

The metrics project is currently focused on getting industry input to help develop guidance on how best to do continuous monitoring and to use related tools effectively.

Continuous monitoring is fast becoming a security buzzword, but many security professionals see it is a way for them to regain lost ground to hit back at advanced, persistent attackers.

The US National Institute of Standards and Technology defines the aim of continuous monitoring to be ongoing awareness of vulnerabilities and threats to support risk-based decisions.

The key metric in this context is the frequency of scanning, according to metric project leader, Wolfgang Kandek, chief technology officer at Qualys.

“The aim is to find out how often organisations are carrying out scans to enable them to benchmark themselves against their peers,” he told Computer Weekly.

Kandek believe continuous monitoring is an important area of focus and that organisations should be aiming to carry out scans of their systems at least once every day.

He is still trying to build industry momentum around the security metrics project by engaging with other security suppliers and security professionals within organisations at a grassroots level.

Kandek believe that for far too long CFOs have had the monopoly on interesting metrics to present that demonstrate the financial progress of the business.

His hope is that the metrics project will generate a similar set of proven metrics that non-security people in the business can understand.

More on security metrics

Read more on IT risk management