How To Create Better Security Metrics

Securing The Super Bowls Of Sports

To see why a good metrics program is essential, Andrew Jaquith, chief technology officer of Perimeter e-Security, points to a recent meeting with a major--and, of course, unnamed--client.

This particular customer spends many millions of dollars on Perimeter's email services, Jaquith told attendees to last week's RSA Conference in San Francisco. Without good metrics to show the value contributed by the security-service provider, it's unlikely they would remain a client.

"Our sponsor was quite plain with us. He said, 'Look, our CFO signs a very large check to you every year; you need to show me that the value of what we are buying is justifying the investment,'" Jaquith said. "It's not that he wants to see a two-million dollar security return based on cleaner email ... but he does want to see that, based on what we are doing, it's making a difference to his business."

A good metrics program is all about showing the value of certain security choices to decision makers. And it's not just about customers. Security teams also have to satisfy their "internal customers," the executives who are signing off on budgets and educating the rank-and-file to take information security to heart. "The thing to remember is that metrics need to be motivating," Jaquith said.

There are three types of metrics: tactical metrics that must be acted on in near real time; tactical metrics that don't need to be acted on in real time; and strategic metrics, which should directly impact the company's bottom line, said Alex Hutton, a member of the RSA panel and director of operational risk for an unnamed financial institution.

"The top strategic metric, of course, is that almighty dollar," Hutton said. "If you can't express your strategic metric in terms of dollars, you are going to run into problems."

Here are four recommendations from the panelists at the RSA Conference.

1. Start collecting data – now.
When thinking about starting a metrics program or expanding an existing one, many security professionals will overthink the problem and run into analysis paralysis, says Arian Evans, vice president of operations for Web security firm White Hat Security and the third member of the panel.

Read the rest of this article on Dark Reading.

InformationWeek is conducting a survey on information security and risk management. Upon completion of our survey, you will be eligible to enter a drawing to receive an 64-GB Apple iPad 2. Take our Alternative Strategic Security Survey now. Survey ends March 16.