Security Metrics

            The  security  department,  like  all  other  departments  of  the
            organization,  must  be  held  accountable  for  their  budget,
            deliverables, and results. Security metrics are necessary to ensure
            that senior management can demonstrate governance and see into
            the  workings  and  effectiveness  of  the  security  department.  A
            failure by the security department to adequately protect the assets
            of  the  organization,  including  information  systems,  data,
            personnel,  and  equipment,  may  expose  the  organization  to
            extraordinary risks, including financial liability, loss of market
            share, and even criminal charges.

            Establishing  meaningful  metrics  for  security  is  a  challenge.
            Metrics  must  measure  the  'right'  things,  provide  an  accurate
            overview of critical functions, and be relevant to the needs of the
            organization. There is no sense in measuring items such as the
            number  of  types  of  malware  that  were  discovered  around  the
            world in the past year - that is not an item that can be controlled
            or affected by the security department. Instead, the metrics should
            review  measurable  factors  such  as  the  speed  at  which  a  new
            breach was detected or an incident closed off.



            Development of Metrics
            There  are  several  useful  approaches  to  developing  metrics  for
            security. The first is the use of SMART metrics, as introduced by
            Peter Drucker. The definitions of SMART have changed over the
            years, but this is an excellent tool to ensure that the parameters
            that are being measured are appropriate for the organization. Here
            is one example of the application of SMART.

            SMART; Specific Measureable, Attainable, Relevant, Timely.