Jun 20 2012

5 Characteristics of Effective Security Metrics

Being selective and smart about what you measure can help your organization’s IT security.

One of the golden principles of IT security is to maintain a robust system for monitoring. But what happens to your company’s security if you’re wasting time looking at the wrong data?

Dwayne Melançon, chief technology officer for Tripwire, recently attended a security summit where effective security metrics were discussed, and he wrote about it on the company’s blog.

According to what he learned, the security metrics that matter share these five characteristics:

  1. Effective metrics must support the business’s goals, and the connection to those goals should be clear.
  2. Effective metrics must be controllable. (In other words, don’t report on the number of vulnerabilities in your environment, since you can’t control that. Instead, report on the % of “Critical” systems patched within 72 hours, which you can control.)
  3. Effective metrics must be quantitative.
  4. Effective metrics must be easy to collect and analyze. (Wheatman says, “If it takes 3 weeks to gather data that you report on monthly, you should find an easier metric to track.”)
  5. Effective metrics are subject to trending. (Tracking progress and setting targets is vital to get people to pay attention.)

Do your security metrics meet this standard?