How can businesses measure the effectiveness of their IT security teams to ensure they are getting value?
Original article can be found here:
Make sure security information is available at the right level.
The question of measuring the value of security in an organisation has not been fully answered since the creation of information security discipline. And this fact is, in my opinion, one of the reasons security teams find it difficult to convince business to invest in security, except perhaps immediately after an incident.
The management of any organisation is typically good at managing based on information (metrics, KPIs, scorecards, traffic lights and others) available to them. However, the information needs to be at an appropriate level. Consider a CEO. Is s/he really interested in a number of vulnerabilities in all IT systems? Or would he be more interested in knowing how much exposure (in monetary terms) these vulnerabilities present?
There should be three types of security risk metrics in an organisation (top to bottom): a) Monetary-based risk exposure for an organisation, b) policy compliance scorecard, and c) detailed technology and procedural metrics. This systems needs to be connected from top down and bottom up as outputs from the bottom feed into the upper level metrics.
Let's have a look at these in bit more detail. At the top level, I believe there is a need to create a standardised metric similar to Basel II 'Value at risk' (VaR), adapted for information security. This would inform CEOs of monetary exposure for all company's assets due to missing and inadequate security controls. Such a metric could be used to build a business case for security investments: "Is the investment going to lower the VaR by more then it will cost?".
At second level, the compliance to security policy needs to be measured. If there are 20 high level policy statements, use the scorecard metric to show company compliance with each one.
Finally, at the lowest level detailed procedural and technology metrics are needed. That is where metrics such as "a number of critical vulnerabilities" or "number of level 5 application errors" are appropriate. These are typically used in day to day operations.
In summary, metrics are needed for strategic, tactical and operational decisions. We, information security community, need to work on these together.