Ever since I wrote the Pragmatic CSO a lifetime ago (okay, 4 years, but it feels like a lifetime), I have been evangelizing about better quantification of security programs. Even without context, quantification is valuable, but they are much more useful together. So I have been pushing hard for finding a set of similar companies to compare your metrics against, to provide that needed context. Alas, with the number of fires we have to fight every day, most security folks just don’t make the time to embrace metrics.
This paper focuses on why you should. We consider security metrics at a high level to lay the foundation, then spend most of the paper explaining what benchmarking offers your security program and how to do it. A brief excerpt from the Executive Summary explains it well:
A key aspect of maturing our security programs must be the collection of security metrics and their use to improve operational processes. Even those with broad security metrics programs still have trouble communicating the relative effectiveness of their efforts – largely because they have no point of comparison. Thus when talking about the success/failure of any security program, without an objective reference point senior management has no idea if your results are good. Or bad.
Enter the Security Benchmark, which involves comparing your security metrics to a peer group of similar companies. If you can get a fairly broad set of consistent data (both quantitative and qualitative), then compare your numbers to that dataset, you can get a feel for relative performance. Obviously this is very sensitive data, so due care must be exercised when sharing it, but the ability to transcend the current and arbitrary identification of problem areas as ‘red’ (bad), ‘yellow’ (not so bad), or ‘green’ (a bit better) enables us to finally have some clarity on the effectiveness of our security programs. Additionally, the metrics and benchmark data can be harnessed internally to provide objectives and illuminate trends to improve key security operations.
Those of you who embrace quantification gain an objective method for making decisions about your security program. No more black magic, voodoo, or hypnosis to get your budget approved, okay?
While you are enjoying the paper, please send a thank you to nCircle for licensing it.