Monday, April 05, 2010

CISecurity Metrics Move Ahead

Center for Internet Security Metrics Project has done a quick poll on security metrics goals; some of the results are shown below with their permission:

“The top three goals of metrics programs are to:

  1. Improve security outcomes (35%)
  2. Improve risk management decisions (30%)
  3. Improve security process performance (15%)

The top three reasons why metrics are requested are (in order):

  1. For security trends
  2. Evidence of compliance
  3. To justify spending

The top three business benefits expected from metrics are:

  1. Improve security outcomes
  2. Align security activities with business goals
  3. More efficient use of resources

Metrics Programs:

  •   8% have an existing program in place
  •   30% have recently established metrics programs
  •   62% have the creation of a metrics program as a current goal

Constraints on metrics programs are:

  1. Lack of resources
  2. Lack of information on what metrics to deploy
  3. Lack of capability/data access

  30% of respondents cited lack of resources as the primary
  constraint, and many comments indicated the need for an
  established standard with metrics accepted as meaningful in
  order to both move the organization and to obtain long-term
  resources. “

Grab the v1 metrics here. A quick start guide on them is in development.

IMHO, metrics is #1 hole in security today: our total inability to tie security controls to outcomes is truly sad. And, yes, maybe blind diligence-based security is the answer. And then again … maybe it is not :-)

Dr Anton Chuvakin