The nonprofit Center for Internet Security is devising community-based IT security metrics that measure the information security posture of an organization.

The metrics, to be released soon, were created in collaboration with a number of security experts from various commercial, government and academic entities. The CIS claims they are unambiguous methods for measuring the status of information security in an enterprise.

The initial set of outcome and process metrics will cover statistics such as: 

  • The percentage of systems configured to approved standards
  • The percentage of systems patched to policy
  • The percentage of systems with anti-virus
  • The percentage of business applications that had a risk assessment
  • The percentage of business applications that had a penetration or vulnerability assessment
  • The percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment
  • Mean time between security incidents
  • Mean time to recover from security incidents

“Government and industry spend lots of time and money to improve cybersecurity, but often the focus is more on compliance with best practices rather than outcomes,” Bert Miuccio, CEO of CIS, said in a statement. “Enterprise leaders and information security professionals struggle to make cost-effective security investment decisions largely because they lack specific, consistent, widely accepted outcome metrics for decision support.”

Gartner analyst John Pescatore told SCMagazineUS.com on Monday that he thinks CIS' efforts are a good thing, though he thinks the new metrics chosen are already fairly standard in the IT security industry.

“Businesses need this benchmarking to understand how others in their specific industry are addressing security issues,” he said.