What you measure is what you get
SC Magazine has a new article today on measuring security performance.
Five recommendations were made:
- Recommendation #1: Establish a Risk Baseline
- Recommendation #2 – Conduct Real-Time Measurements of Changes in Risk Levels
- Recommendation #3 – Benchmark the “Mean Time to Repair” for Security Problems
- Recommendation #4 – Compare Baseline Information to Desired Outcome
- Recommendation #5 – Use SIM Technology to Automate This Process
Even though I agree with some of the assessment in this article, I have to say this article lacks substance.
First, other than the MTTR, there’s no other concrete metrics that the CIOs and CISOs can get out of this article.
Second, most of the terms and formulas are straight out of the CISSP manuals. And these are fairly high level with not much concrete information to work with.
Third, this is a sales pitch for SIM products. SIM solutions, unfortunately, cannot automate the whole process. Much of the process requires much more than a SIM solution. Some requires manual work and some requires other technology solutions.
A new organization, Security Metrics Consortium, was established a while back to
empower security professionals with the ability to continually measure their organization’s security posture by defining real-world, standardized metrics.
Haven’t seen a whole lot from them yet, but they are probably worth watching for.
Disclaimer: This is my personal blog. The opinions expressed in this blog are the views of the writer and do not necessarily reflect the views and opinions of VMware.