In practice, metrics and monitoring are very important in determining how well business activities are performed. This equally applies to information security.
Metrics consist of quantifiable measures that indicate how an activity is being performed, while monitoring is the ongoing evaluation of a system or control to determine whether the operational effectiveness is present. This would include management review of the qualitative aspects- pertaining key metrics of the information security program.
Types of Metrics
While putting in place an information security program, one should not forget that there is no one-size-fits-all framework of metrics. The security manager has to determine what metrics shall apply for whom and for what purpose.
Everything is about the context-for example, it is not very useful to state the amount of packets dropped by a firewall unless one puts it into perspective for the target audience.
Compliance Metrics are those that deal with conformance to regulations and internal goals and give incentive for compliance due to the associated penalties for noncompliance.
Organizational Awareness Metrics are those that measure awareness of security policies through training completed and knowledge assessments by employees.
Operational Productivity Metrics are those that measure the productivity of staff to perform key work; this helps justify automation of processes when needed.
Organizational Support Metrics reflect the level of alignment of projects with organizational goals; yet, actual support is difficult to measure.
In contrast, Technical Security Architecture Metrics derive measurements directly from automated systems, such as firewalls and intrusion detection systems. Yet, while these types of indicators can be highly granular, most of them lack business context unless they are connected with some form of operational consequence.
Operational Performance Metrics inform on the degree to which security is executed, incident response times, the effectiveness of patch management, and many more.
Finally, Security Cost Efficiency Metrics deal with resource allocation against key controls through optimization of cost reduction and risk management.
Audiences and Continuous Improvement
When a metrics program is being executed, it is important to address the audience for each metric. A security manager must make sure metrics make sense to the audience that they are intended to reach.
For example, technical information will more than likely go right over the head of executive leadership. Making operational metrics relevant strategic in nature increases their effectiveness.
Continuous improvement is defined as part of an organization’s culture, and it embodies the overall perpetual process for continually improving processes and controls.
ISO/IEC 27001 standards, for one, remind that continuous improvement of the ISMS is of essence. Similarly, guidelines by NIST provide that there should be mechanisms for feedback loops to enable continuous improvements in the risk management practices.
This will lead an organization to a comprehensive model that includes not only performance measurement but also ensures continuous improvement in the information security area.