Metrics are tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance. Regulatory, financial, and organizational factors drive the requirement to measure IT security performance. Potential security metrics cover a broad range of measurable features, from security audit logs of individual systems to the number of systems within an organization that were tested over the course of a year. Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success or failure of implemented security solutions.
In information security, it is no different. Effective management of varying performance indices can mean the difference between a practical and efficient project and a complete waste of money. Although IT managers have been following KPIs for quite some time now, in information security, this is an uncommon and still developing practice to track cyber security metrics. Cyber security metrics should be identified and created for various different audiences ranging from management level to C-level and executives.
C-SUITE & BOARD MEMBERS
DTS can help your organization build cyber security metrics using the PRAGMATIC metametrics approach. PRAGMATIC is an acronym for the basis of the method in using metrics that are predictive, relevant, actionable, genuine, meaningful, timely, independent and cost.
The PRAGMATIC method has application both in designing security metrics from scratch, and in systematically improving your current metrics. If you are using security metrics that ‘ought to work’ in theory but for some reason don’t seem to work out so well in practice, the PRAGMATIC method helps you understand why they don’t work and identify what would need to change to make them more valuable. Simply altering the way, the security metrics are analyzed and presented may be sufficient, otherwise it may be worth exploring whether changing the phrasing or definition of metrics will turn things around.
At the end of the day, some security metrics are so poor they are simply irredeemable: the PRAGMATIC method gives you a way to put lame metrics out of their misery, saving money and encouraging management to focus their attention on the remaining fit-for-purpose metrics. Lacking this crucial step, metrics systems tend to grow, and we end up measuring what we can, not what we should. DTS can help your organization to design, build and manage the cyber security metrics and performance measurement system using the PRAGMATIC metametrics approach.