We usually think about benchmarks in regard to their ability to size up the competition, or to teach us where we can generate bigger ROIs. Katherine Brocklehurst however talks about the power of benchmarking in protecting the organization from outside threats. It just might be the shield that protects you from the dragon’s fire.
A Calculated Defense
Benchmarking, whether done manually or with an analytics tool, can allow organizations to track and compare security performance. It can both demonstrate to the C-suite whether security performance has improved from year to year, and whether or not that performance is up to snuff with security across analogous organizations. The challenge comes in convincing organizations to share their metrics:
It’s common knowledge that organizations need multiple layers of technology, processes and practices to improve safety and/or minimize developing security issues. There are a few industry standards, like the Consensus Information Security Metrics (CIS), that offer their own performance goals, but few groups share metrics (and details for how to improve them) with others. We need metrics that rapidly evolve with the new as well as past threats organizations face.
The Best Metrics
Brocklehurst offers several ideas on what makes for the best metrics. They need to be factual and objective, measured consistently, and issued on normal business intervals. Data should be numeric and represent relationships like ratios and percentages. It also needs to be normalized rationally across multiple controls and technologies, with Brocklehurst bringing up examples like “three flavors of anti-virus, each with different scan cycles, unique whitelists, and updated on distinctive schedules.” The overall idea is for the numbers to tell a story, and probably a big story at that, as your place and the places of others start to fit together in the industry. You can read the full article here: http://www.tripwire.com/state-of-security/featured/key-characteristics-of-good-metrics-comparing-your-security-organization/