Rothman posted some thoughts on security metrics (here), spurred on by a posting by Joel on Software (here) – I have debated this issue with folks for years and continue to do so.
Advances in science are amazing and accelerating rapidly, everything from mapping the human genome to the ability for medicine to extend the life and comfort of those that are injured, diseased, or dying. Technology has provided us tools to investigate the depths of space and the depths of our oceans, we are finding new specimens on a daily basis, we are improving our ability to manipulate our environment for the betterment of our society (not always in a good way), we are utilizing mathematics, statistical modeling and reasoning to better understand subtle patterns in human behavior and the world around us. We are, as a species, extremely intelligent – but measuring security program efficiencies and enterprise security effectiveness eludes us, it is a dark-art with lots of magic that precludes evaluation, rational thought and structured analysis.
Apparently measuring security is like anal probing. Aliens, with their advanced technology, have cracked the space/time continuum but apparently the mysteries of the human rectum still elude them – security metrics are like the ass of IT, with all our advances it still eludes us.
As I stated before (here) enterprise security is evolving, maturing, becoming more aligned with the business, coordinating more with other operations teams. Organizations are moving from simple, reactive-based element management, to dealing with more complex, proactive business-oriented service and process management issues (buzzword bingo anyone). What does that actually mean?
It means that security doesn’t just update security product signatures, tell operations to patch to divert some impending security incident and jump up and down when there is a worm, virus or other malware related outbreak. Security must be involved with defining policies for configuration of devices, provisioning of people, and optimization of processes. The impetus to measure security is being driven by the same changing tides of IT; a dynamic threat environment requires greater security effectiveness, business requires greater service delivery and process support, and compliance requires greater visibility. We can no longer just throw our hands in the air, sigh, and say we cannot measure security. You can measure security and you can measure it throughout the entire incident timeline; pre-incident (prior to something bad actually happening), during an incident (when all heck is breaking loose) and post-incident (when everyone is sitting around wondering what the hell happened?)
You can measure security! You can deliver a security SLA! You can use metrics to improve security efficiencies! You can measure your security programs effectiveness!
Security metrics can provide insight into the effectiveness of a security program by gaining visibility into such things as the number of elements compliant with corporate policy, the vulnerability and exposures against the external threat environment, the protection mechanisms in place to divert exploit of said vulns and exposures, the ability for security and operations to cooperate to resolve issues, and on and on. Security metrics can be used to gain insight into security program efficiencies to support process improvement through analysis of workflow and trending data, such as incident response times, improvement of security posture/vulns/exposures over time, time to patch/configure against policy, adherence to service level agreements and on and on.
I am not going to list all of the potential metrics in this post (I have a whitepaper that will be published soon on the topic) but organizations should leverage metrics that provide visibility into the current state of the organization to understand the security posture against known threats (please don’t start with “what about all those less than zero-day attacks?” perceived threats vs. real threats is a red herring), support process improvement, measure adherence to compliance initiatives, provide information on involvement of security in various operational efforts, and insight that can be used for allocation of resources.
It is time for security to grow up and be held accountable in the same way the rest of the business is. Honestly if you cannot measure something how can you possibly hope to improve it?
Something, something this way blogs 
Pingback: No Metrics, No Budget (or Paycheck) | securosis.com
Pingback: Inefficiencies, Politics, SOX Risk and Silliness - RiskAnalys.is
Pingback: Spire Security Viewpoint
Pingback: Episteme - Belief. Knowledge. Wisdom.
Pingback: Kartar.Net
Mr. Williams, i am currently working on my phd on information security, based on metrics. if you ever read this, could you please let me know when you publish your white paper? i am curious to read it. thanks in advance.
Pingback: You Can Measure Security - The Remix - Metrics Matter « Observations of a digitally enlightened mind
Pingback: Top 5 Concepts Every IT Security Professional Must Understand in 2008 « Observations of a digitally enlightened mind
Pingback: 5 Security Metrics That Matter « Observations of a digitally enlightened mind
Pingback: Top 5 Abused/Misused/Miscontrued Terms in Information Security « Amrit Williams Blog
Pingback: Security Insights Blog » The Importance (Or Not) Of Numbers
I enjoyed reading your article on security metrics.
Any thing that can be measured can be controlled and anything that’s controlled can be audited.So security can be measured via audits! Bingo !
Pingback: Kartar.Net » Blog Archive » You can measure security! ? Observations of a digitally enlightened mind
First time reading your blogs post , must admit im impressed