The need for tools to help IT managers assess the effectiveness of their security investments has fueled another industry effort to develop performance measurement metrics.
The latest group to take a stab at creating such metrics is a new entity called the Security Compliance Council. The council last week announced plans to create standard measures to assess and benchmark information security performance.
IT managers said such tools can be effective, but they listed several challenges facing the new organization.
Robert Garigue, chief information security officer at the Bank of Montreal in Toronto, said the effort's chances for success will depend largely on how it builds on existing security frameworks and processes.
The bank, for example, bases a lot of its security processes on frameworks such as Carnegie Mellon University's Capability Maturity Model and the best practices contained in the Information Technology Infrastructure Library, he said.
"Over a period of time, there have been a series of processes that everyone agrees are good, such as patch management, antivirus and intrusion-detection systems," Garigue said. "What is not available is a way to integrate them into a governance framework that says, 'Here's a list of the processes that need to be implemented, and here's how well you're doing with them.'"
To be successful, the new effort must be "additive and not just a substitute" to the metrics already available, he added.
The founding members of the organization are Houston-based security vendor BindView Corp., the Computer Security Institute in San Francisco and The Institute of Internal Auditors (IIA), a 100,000-member association in Altamonte Springs, Fla.
The group's mission is to develop research- and survey-based IT security guidelines to help companies figure out what they need to do and how they are faring, said David Richards, president of the IIA.
Kim Milford, information security manager at the University of Rochester in New York said she welcomes the effort but added that its success will depend largely on the quality of the information used by the group.
For instance, she pointed out, people are reluctant to share detailed security information, and there are wide variations in the way companies implement and manage security technologies and measure incidents. Thus it can be hard to draw consistent data from different organizations, she said.
In addition, adopting someone else's definition of best practices may not always be the right solution for a company, said Christofer Hoff, director of enterprise security services at Western Corporate Federal Credit Union in San Dimas, Calif.
"It may be a cynic's view, but my reality shows that if you do what is right for your company, which does not necessarily mean adopting someone's definition of best practices, then regulatory compliance may be a natural byproduct," he said.
The latest effort highlights a longstanding challenge in the security industry and one that several others have tried to address before, said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa.
"Security ultimately is a black-hole exercise where you are successful if nothing happens," he said. "The question then is whether that was because we allocated the right set of resources to the problem or because there was no risk at all in the first place."