Making Metrics Count
The metrics an organization chooses to focus on should “work together synergistically to deliver the right information,” Hanslovan says.
For example, how long it takes to respond to an event is relatively meaningless if attackers have been lurking in a network for months and have already planted a mountain of malware. “You might respond quickly but it’s too late,” Hanslovan points out. However, when an organization uses a combination of metrics it’s possible to obtain a more complete picture of how the organization is faring.
A key to constructing an effective security metrics framework is broad and deep visibility, he continues. This means delivering critical data to the people who matter in a form they can digest. The ideal is a unified view or dashboard for viewing results and spotting problems early. This may require some custom development. “It’s essential to have a way to measure things consistently and automatically,” Hanslovan notes.
Metrics can serve as a starting point for discussing how to evolve and advance a security strategy, delivering clues about a need for new types of products, or where to focus additional resources, Hogaboom points out. “When you have the right data available,” she stresses, “it’s a lot easier to make the right security decisions.”