(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    1 post categorized "Pearson"

    11 June 2008

    Security metrics are your friend

    Benefits of Security Metrics

    In my opinion, one of the more valuable components of a security program that (unfortunately) doesn't receive the attention it should is metrics

    A successful security metrics program can benefit an organisation in various ways;

    • It serves as a measuring stick for effectiveness of security controls;
      This can demonstrate to management (and the entire organisation) how effective the existing controls are compared to the number of threats being targeted againstt the network. e.g. 500 e-mail viruses detected and stopped at the gateway per day and none reported at the desktop or mail server -- provided there is anti-virus installed and working on those two points as well.
    • It can identify areas that may require improvement;
      By effectively tracking and measuring threats against existing controls, it may identify areas that require additional attention. As an example, the mail gateway has detected and stopped 1000 SPAM e-mail per day; however, users are reporting hundreds of SPAM being delivered into their inbox. This may be an indication it's time to either revisit the anti-SPAM solution on the gateway or review the configuration.
    • It can help the security department at budget time;
      In an era where most organisations are expected 'to do more with less', it's always a difficult sell to get more money for the security budget - by accurately tracking how much is being spent for each area of security (i.e. information, physical, training/awareness, BCP, etc... and measure this against the areas that presented the most "challenges" in the past year, it may help to get more money allocated to address those problem areas OR you may ask yourself, "Am I spending money in the right areas?".

    It's also important to know your audience when presenting reports on metrics - if it's to an operations department, then it may make more sense to present a deep dive into the "guts" of the security operation whereas if it's to management, keep it at a high level.

    For those of you who don't currently report on security metrics, it's never too late to start - if you're looking for a good site to get more information, have a look at: http://www.securitymetrics.org/content/wiki.jsp

    Peter Pearson

    Posted by on 11 June 2008 at 08:00 AM in (ISC)2, Metrics, Pearson | | Comments (1) | TrackBack (0)

    Recent Contributors

    Past Contributors