Yet again today I find my blood pressure reading as I read yet another incredibly biased pronouncement on security metrics from security vendors:
"Do you know what security metrics are right for your organization? For a holistic view, both network and host metrics are required, including firewalls, routers, load balancers, and hosts."
To claim that having network and host security metrics qualifies as holistic almost beggars belief, for any thinking person's definition of the term but I'm afraid it's typical of the incredibly myopic purely technical perspective on security metrics, continually reiterated for blatantly obvious marketing reasons by the purveyors of ... IT security products.
Being sick and tired of explaining that IT security is a dead end off the main information security highway, I'll merely suggest a few non-technical security metrics that might get us a tiny bit closer towards a truly holistic view:
- Information security ascendancy - a measure of the importance of information security in the eyes of management
- Value of information assets owned by each information asset owner - brings up the whole notion of accountability and responsibility for protecting valuable and yet vulnerable information
- Security governance maturity - mmm, governance, yes, I've heard of that
- Business continuity plan maintenance status - oh I suppose we ought to consider the remote possibility that our expensive antivirus systems and firewalls might not be the perfect solutions we were sold
- Corporation's economic situation - can we even afford those fancy security gadgets?
- Number of important operations with documented & tested security procedures - oh yes, procedural controls, I've heard of them
- Information security budget variance - a lone example of a substantial class of financial metrics that are distinctly relevant to both information security and the business
- Security metametrics, such as PRAGMATIC - a way to sift seeds from chaff.
For an holistic view of information security, I respectfully submit that "network and host metrics" fall woefully short of sufficient. They are needed, yes, but they are definitely not enough.