One of the biggest problems I see in most security programs is a lack of metrics that REALLY measure the effectiveness of the program. IT Security Metrics provides a comprehensive approach to measuring risks, threats, operational activities, and the effectiveness of data protection in your organization.
It is essential that whomever is leading your cyber security program chooses and designs effective measurement strategies and addresses the data requirements of those strategies.
There is a Security Process Management Framework that allows for the production of analytical strategies for security metrics data. I will discuss that in my next blog. Using this framwork, youcan take a security metrics program and adapt it to a variety of organizational contexts to achieve continuous security improvement over time.
On any account, here are examples of security measurement ideas that will allow you to have effective measurements of your program.
- Define security metrics as a manageable amount of usable data
- Design effective security metrics
- Understand quantitative and qualitative data, data sources, and collection and normalization methods
- Implement a programmable approach to security using the Security Process Management Framework
- Analyze security metrics data using quantitative and qualitative methods
- Design a security measurement project for operational analysis of security metrics
- Measure security operations, compliance, cost and value, and people, organizations, and culture
- Manage groups of security measurement projects using the Security Improvement Program
- Apply organizational learning methods to security metrics
I will expound on these, and other concepts in upcoming posts.