Implementing Security Metrics Initiatives

lthough Global 2000 organizations today are becoming increasingly aware of the importance of a metrics program to maximize the effectiveness of an information security strategy, there’s little guidance available around the practical “how to’s” of putting such a program into practice. As a result, security metrics are shrouded in mystery and are considered “too hard” to do — with the end result being that this necessary and effective management tool has yet to be implemented at many organizations, and in the organizations where it has been launched, it has yet to be automated to ease management and reduce resource costs. As security spending continues to rise, industry analysts contend that metrics initiatives will become critical to managing and understanding the impact of security programs. According to the Yankee Group’s “2005 U.S. Network Management Survey,” companies will spend $16.9 billion on IT management, of which one-fifth will be devoted to security. Metrics and measurement are being highlighted as ways for organizations to meaningfully assess the effectiveness of IT security programs.