For managers and executives, however, the picture needs to be simplified to a less controversial collection of measurements. While security administrators focus on technical metrics, managers and chief security officers have to focus on how IT security interacts with business, said Kevin Lawrence, senior security associate with IT security consultancy Stach & Liu.
"Everything comes down to whether the business impact is worth the security reward," said Lawrence. "It does not makes sense to close a vulnerability if you can't then do business."
Earlier this month, industry experts weighed in on their top-5 metrics for tactical security, such as identifying dark parts of their own network and the total attack surface area. In interviews, analysts and security professionals offered a higher-level, more strategic mix of metrics to measure as well.
While some of these metrics may not directly correlate to security, getting high marks means that a company has a good level of control over its systems, network and data- and that means security, said Andrew Jaquith, chief technology officer of security services firm Perimeter e-Security.
"Running a tighter shop, with more control, is always good for security," he said. "It means that you can react very quickly if you have to change something."
Here are five security metrics to track for businesses.
1. Keep up with the Joneses
A starting point for many companies is whether they are spending as much as the median firm in their industry. In 2012, security is expected to account for 7% of IT budgets as a whole, according to business intelligence firm Forrester Research. The number varies by industry with financial services tending to spend more, and healthcare and manufacturers spending less.
"If your industry partners are spending 6% of their IT budget on security and you are spending 2%, that's probably an issue," said Stach & Liu's Lawrence.
While the metric does not indicate how well companies are spending their security dollars, it is a good high-level measurement.
The effort to achieve and maintain compliance with Sarbanes-Oxley requirements remains one of the primary drivers behind many IT security initiatives. In our Security Via SOX Compliance report, we share 10 best practices to meet SOX security-related requirements and help ensure you'll pass your next compliance audit. (Free registration required.)