Ads by TechWords

See your link here
Receive the latest technology news and information.
IT Management
ROI (Return on Investment)
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Metrics fall short of mark on security

A better approach: combine information security metrics with other performance indicators

September 26, 2005 12:00 PM ET

Computerworld - LAS VEGAS -- Metrics that measure only the performance of security personnel and the tools they use are of limited value when it comes to assessing the true effectiveness of data protection investments, said IT managers at a conference here last week.


Attendees at the conference, which was held by the Information Systems Audit and Control Association, said that a better approach is to combine information security metrics with other performance indicators, such as the effect that security problems have on internal business processes or the availability of applications to end users.


"Most metrics only indicate that a security program is doing the things it needs to do," said Scott Blake, chief information security officer (CISO) at Boston-based Liberty Mutual Insurance Co. "It doesn't get us to a point where we have a real understanding of the risks to the data."


For instance, metrics that measure compliance with internal requirements or the time it takes to patch systems might offer good insight into how effectively a security program is working, Blake said.


"But in my mind, it only tells us that we are doing things," he added. What's really needed, Blake said, is insight into whether the overall risk to business operations has been reduced as a result of investments in IT security.


Qualitative Assessments


The key is to focus on metrics that demonstrate "quality of accomplishment," said Nancy DeFrancesco, CISO at the U.S. Department of Commerce in Washington. "Metrics are extremely important, but you need to have both quantitative and qualitative ones."


For example, DeFrancesco said, in addition to having a set of quantitative metrics, it helps if a security staff can show that it has a repeatable process in place for handling security incidents.


"A quantitative measure may indicate your posture at one point in time, whereas a qualitative measure would promote the overall maturity of your IT security organization," she said.


Technology-oriented metrics can give IT staffs "important data points to either validate or invalidate" questions about issues such as attack trends, said John Pironti, principal security consultant at Unisys Corp. in Blue Bell, Pa.


But because those metrics don't give a picture of the true business impact of security investments, it's also necessary to track key performance indicators on the business side and show how attacks against pieces of a company's IT infrastructure can affect operations, Pironti said.


Examples include measuring the amount of time that end users are unable to access their systems because of a worm infection, or tracking the number of complaints resulting from systems being unavailable to users, he said.



Jump to comments

Security

Additional Resources

WHITE PAPER
Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.
WHITE PAPER
Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.
WHITE PAPER
Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

White Papers & Webcasts

Legacy IT Modernization - Practical Reality
Learn to balance budget restrictions and build a foundation to grow on in this new Webinar!

Looking for a fast payback?
Register Now!  

Interactive Guide: Getting Started with Data Governance
Download this Interactive Guide today!

Return on Information: Google Enterprise Search pays you back
Download this whitepaper showing how Google Enterprise Search boosts your bottom line.  

Maximizing website Return on Information with high-quality search
Download this whitepaper explaining how an investment in site search can boost your earnings while reducing customer service costs.