Security // Risk Management
02:11 PM
Connect Directly
Repost This

5 Strategic Security Metrics To Watch

Is your security program paying off for the business? Here are five high-level metrics that the executive suite needs to watch.

Information security specialists like to argue over a lengthy list of possible metrics to measure their systems' security posture.

For managers and executives, however, the picture needs to be simplified to a less controversial collection of measurements. While security administrators focus on technical metrics, managers and chief security officers have to focus on how IT security interacts with business, said Kevin Lawrence, senior security associate with IT security consultancy Stach & Liu.

"Everything comes down to whether the business impact is worth the security reward," said Lawrence. "It does not makes sense to close a vulnerability if you can't then do business."

Earlier this month, industry experts weighed in on their top-5 metrics for tactical security, such as identifying dark parts of their own network and the total attack surface area. In interviews, analysts and security professionals offered a higher-level, more strategic mix of metrics to measure as well.

While some of these metrics may not directly correlate to security, getting high marks means that a company has a good level of control over its systems, network and data- and that means security, said Andrew Jaquith, chief technology officer of security services firm Perimeter e-Security.

"Running a tighter shop, with more control, is always good for security," he said. "It means that you can react very quickly if you have to change something."

Here are five security metrics to track for businesses.

1. Keep up with the Joneses
A starting point for many companies is whether they are spending as much as the median firm in their industry. In 2012, security is expected to account for 7% of IT budgets as a whole, according to business intelligence firm Forrester Research. The number varies by industry with financial services tending to spend more, and healthcare and manufacturers spending less.

"If your industry partners are spending 6% of their IT budget on security and you are spending 2%, that's probably an issue," said Stach & Liu's Lawrence.

While the metric does not indicate how well companies are spending their security dollars, it is a good high-level measurement.

Read the rest of this article on Dark Reading.

The effort to achieve and maintain compliance with Sarbanes-Oxley requirements remains one of the primary drivers behind many IT security initiatives. In our Security Via SOX Compliance report, we share 10 best practices to meet SOX security-related requirements and help ensure you'll pass your next compliance audit. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/1/2012 | 7:04:13 AM
re: 5 Strategic Security Metrics To Watch
Thanks for the sharing the great article about the security. really its must for all :)
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.