Center for Internet Security Metrics Project has done a quick poll on security metrics goals; some of the results are shown below with their permission:
“The top three goals of metrics programs are to:
- Improve security outcomes (35%)
- Improve risk management decisions (30%)
- Improve security process performance (15%)
The top three reasons why metrics are requested are (in order):
- For security trends
- Evidence of compliance
- To justify spending
The top three business benefits expected from metrics are:
- Improve security outcomes
- Align security activities with business goals
- More efficient use of resources
Metrics Programs:
- 8% have an existing program in place
- 30% have recently established metrics programs
- 62% have the creation of a metrics program as a current goal
Constraints on metrics programs are:
- Lack of resources
- Lack of information on what metrics to deploy
- Lack of capability/data access
30% of respondents cited lack of resources as the primary
constraint, and many comments indicated the need for an
established standard with metrics accepted as meaningful in
order to both move the organization and to obtain long-term
resources. “
Grab the v1 metrics here. A quick start guide on them is in development.
IMHO, metrics is #1 hole in security today: our total inability to tie security controls to outcomes is truly sad. And, yes, maybe blind diligence-based security is the answer. And then again … maybe it is not :-)
