It’s no surprise then, that business executives are beginning to question what they’re getting for their IT security spending. Their tolerance for technospeak such as distributed denial of service attacks and buffer overruns is rapidly decreasing. Networks were private and built around proprietary protocols. Then seemingly overnight, applications were turned inside out. Private networks gave way to the Internet for all communication and information sharing. Worms and viruses became the norm and costs from security-related business interruption skyrocketed.
In its early phases, senior executives primarily cared about containing the security problem and let the technology experts decide what to do. As budgets increased, the technology became at once more sophisticated and numerous, and eventually multiplied into a seemingly unlimited number of subcategories and products. In this rapid spend cycle, IT security products emerged as standalone solutions, incapable of working in an ecosystem or sharing information among one another.
Are IT security teams equipped to think about “results” when they can barely keep up with the administration and information overload from all those products they acquired? Executives set goals based on identified metrics, and then measure and manage to the established goal. ROI is great when the goal is to increase revenues or reduce costs. When all the technology talk is set aside, the goal of IT security can be simply stated as minimizing risk at the lowest possible cost.
Organizations will demonstrate how they are managing risk across their information systems and networks and compare today’s results to last week, last month, last quarter, last year. And by comparing risk trends with security spend, executives will clearly understand how their investment in security is being managed, and the effectiveness of that spend.
But should such an event occur, organizations will have clearly documented processes and metrics that prove a standard of due care was in place.
Measuring costs are easy, so let’s focus on measuring risk. For example, advanced vulnerability and risk management systems can continuously identify and profile assets on a network to objectively and automatically measure vulnerability risk, configuration and security policy compliance and other specific metrics to produce a risk “score” for each device. These asset risk scores can then be aggregated across the entire network and reported by region, application, operating system, business unit and numerous other ways.
http://www.it-observer.com/articles/1282/measuring_security/