Metrics that measure are good. Metrics that measure the right things are better. What are the right things to measure? Metrics must explain a security risk or challenge in a way that your organization's management team can readily understand. These metrics must be actionable, meaning that they should show where you are today and where you need to be tomorrow to obtain or maintain the level of security or risk prevention that is right for your enterprise.
The CSO may want to implement a data security gateway strategy and plan to ask for funding, lest some important data gets misappropriated or misused on your watch. How many records containing private data are there in your data center? What would be the organizational cost if that database was breached?The CSO not only needs to develop and monitor their own organization's metrics, they need to understand the industry-based metrics that may be available. Have you read a recent “Data Breach Investigations Report” from Verizon Business, a “Global Internet Security Report” from Symantec, or a Ponemon Institute data breach cost study? These are three useful examples of valuable metrics tracking where the dangers lie and what the costs of those dangers have been across industry and government. Learn these numbers and use them in conjunction with your own to present a holistic, comparative picture of the security problems faced, how those problems manifest themselves in your environment, and the potential to indemnify your organization against future loss through security spending now.
So what to measure? Resolve to start with some basics. How many potential threats are detected through your various forms of monitoring on a monthly basis? Are damaging incidents appearing in places that you thought were adequately protected? Report on this to your management and governance bodies. You'll sleep better at night. That sounds like a good resolution to me. Here's to a safe and secure new year.
»Identify the problem
Do you know the classification of the data that you want to protect and the typical industry costs of a breach of that data, asks Dan Srebnick, CISO of the city of New York.
Have you identified those things within your organization that you should measure to help your organization understand how and where to invest in risk mitigation?
For example, the CSO may see a need for technology to better protect data. But how does one quantify the cost of not addressing the problem versus the price of doing something?
»Selling it to the C-suite
Resolve to be prepared to answer the tough questions execs are sure to ask, and explain how technology or staffing can help to mitigate the risk that the numbers present.