Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Aug 22, 2007

Security metrics for the Bored

The CSO Executive Council is running a series of surveys to assess security metrics practices. The latest survey report revealed that two thirds of respondents do not gather security program data in order to create statistical reports to present to senior management, and followed up with the following (sample) of explanations:
- Not requested, and no value to security program at this point.
- Lack of management interest in seeing security metrics.
- Lack of interest by senior management.
- No funding'
- Embryonic'
- Information is gathered and presented to senior IT security management.
- Security organization is not established due to budget constraints.
- Nobody is asking, and I would not know what to prepare.
- Time, not sure what to measure.
- No good collection method.
- Didn't start to do it yet. We plan to do it in the near future.
- Data points too qualitative.
- No manpower.
- No formal security program.
- Not my responsibility.
- No demand from The Clueless.
- Not my role.
- Narrative reports are provided, not statistical.
- Not needed for awareness, budgeting, etc.
- Haven't developed metrics.
- Management doesn't know that they want this.
- Not requested.
- Don't have the requisite systems in place.
- Insufficient resources to gather automatic and consistent metrics.

"Lack of interest from senior management" caught my eye and "No demand from The Clueless" made me smile but rather than simply accepting this sad state of affairs, how about running some security awareness activities to give senior managers a clue? If information is seen as a valuable organizational asset, the need to protect it is a natural and easy step (and if not, you have more fundamental issues!). If protecting information assets is important, measuring the extent of protection and identifying improvement opportunities is also important, isn't it? So there we are: an executive security awareness program in one paragraph.

I have more sympathy with other comments about the difficulties of designing an objective metrics scheme for information security. It's hard to figure out security metrics that are both simple/cheap to gather and meaningful/useful. My discussion paper published in ISSA Journal in July 2006 might help, as may a paper written by members of the ISO27k Implementers' Forum at ISO27001security.com that derives pragmatic security metrics from ISO/IEC 27002.

Take the CSO Executive Council's third Security Program Scorecard survey to be eligible for a drawing for a copy of Measures and Metrics in Corporate Security