Benefits of Security Metrics
In my opinion, one of the more valuable components of a security program that (unfortunately) doesn't receive the attention it should is metrics
A successful security metrics program can benefit an organisation in various ways;
- It serves as a measuring stick for effectiveness of security controls;
This can demonstrate to management (and the entire organisation) how effective the existing controls are compared to the number of threats being targeted againstt the network. e.g. 500 e-mail viruses detected and stopped at the gateway per day and none reported at the desktop or mail server -- provided there is anti-virus installed and working on those two points as well.
- It can identify areas that may require improvement;
By effectively tracking and measuring threats against existing controls, it may identify areas that require additional attention. As an example, the mail gateway has detected and stopped 1000 SPAM e-mail per day; however, users are reporting hundreds of SPAM being delivered into their inbox. This may be an indication it's time to either revisit the anti-SPAM solution on the gateway or review the configuration.
- It can help the security department at budget time;
In an era where most organisations are expected 'to do more with less', it's always a difficult sell to get more money for the security budget - by accurately tracking how much is being spent for each area of security (i.e. information, physical, training/awareness, BCP, etc... and measure this against the areas that presented the most "challenges" in the past year, it may help to get more money allocated to address those problem areas OR you may ask yourself, "Am I spending money in the right areas?".
It's also important to know your audience when presenting reports on metrics - if it's to an operations department, then it may make more sense to present a deep dive into the "guts" of the security operation whereas if it's to management, keep it at a high level.
For those of you who don't currently report on security metrics, it's never too late to start - if you're looking for a good site to get more information, have a look at: http://www.securitymetrics.org/content/wiki.jsp