Finally – Some Metrics We Can All Use

The Center for Internet Security (CIS) has announced that they are releasing a standard set of metrics for better evaluating your infosec posture. Many companies are now requiring metrics to measure progress of various activities. Whether it be a GPA in the education field or the vast array of stock indicators for publically traded companies, it seems that many disciplines have established metrics. Closer to security, the information technology field includes metrics for project and requirement management, software development and testing, hardware lifetimes, etc. Security, on the other hand, does not. Although security metrics have been written about in many books and articles, there just hasn’t been a central agreement on what a base set of metrics should be. Well that may be changing with the CIS leading the charge and releasing a set of data driven security metrics. As reported in “New Metrics Assign Grades to Your Security Posture” from Dark Reading …

A coalition of enterprises, government agencies, universities, and vendors from around the globe tomorrow will release a set of free metrics for measuring an organization’s security posture. The nonprofit Center for Internet Security (CIS) hopes the metrics will serve as a standard method for assessing security readiness. “Today there are thousands of ways to measure this… but no two organizations measure these things the same way, and no two divisions [in the same organization] measure them in the same way,” says Bert Miuccio, CEO of CIS. “Today we are creating an objective, data-driven way to measure the security status of an enterprise.”

These guidelines are a welcome addition to something that we’ve sorely needed for a long time. So no more generating out-of-thin-air useless metrics just to have metrics; now we have a common starting point for creating something meaningful that management can use to make better security decisions. Here’s a link to the Dark Reading article.

Leave a Reply

Your email address will not be published. Required fields are marked *