Speaker: Jared Pfost (@JaredPfost)
Framing: IT Security Metrics in an Enterprise
If metrics are valuable, why aren’t we measuring them. Virtually no research on them.
- Measuring metric program maturity would be easy, but not valuable
- Metric programs aren’t a priority for enough CISOs for a benchmark to matter
- Additional proof needed: correlate maturity and losses
Bottom line: which metrics impact actual loss?
Make a Difference?
- Metrics don’t matter to enough people
- Results would not inspire action
- We need benchmarking to commute security posture, key attributes of effective controls and hold control owners accountable with visibility
When you provide visibility into the efficacy of your environment it drives behaviour. (Even if it’s not necessarily the behaviour you wanted…at least they make a risk-based decision)
Metrics are too hard to get now :: get vendors to improve metric repots
- Reactive: anytime a loss occurs, measure metric maturity (relevant to root cause)
- Proactive: ITPI-type measurements needed; require metrics to be defined before budget approval
- Good example: @Tripwire’s “Cost of Compliance“?
It’s crucial to effective compliance initiatives to have solid, real metrics that define program success.