The nonprofit Center for Internet Security is devising community-based IT security metrics that measure the information security posture of an organization.
The metrics, to be released soon, were created in collaboration with a number of security experts from various commercial, government and academic entities. The CIS claims they are unambiguous methods for measuring the status of information security in an enterprise.
The initial set of outcome and process metrics will cover statistics such as:
“Government and industry spend lots of time and money to improve cybersecurity, but often the focus is more on compliance with best practices rather than outcomes,” Bert Miuccio, CEO of CIS, said in a statement. “Enterprise leaders and information security professionals struggle to make cost-effective security investment decisions largely because they lack specific, consistent, widely accepted outcome metrics for decision support.”
Gartner analyst John Pescatore told SCMagazineUS.com on Monday that he thinks CIS' efforts are a good thing, though he thinks the new metrics chosen are already fairly standard in the IT security industry.
“Businesses need this benchmarking to understand how others in their specific industry are addressing security issues,” he said.