Security pros are cooking up plates of measures and metrics for consumption by stakeholders. As the author of the Sherwood Applied Business Security Architecture (SABSA) methodology security measurement chapter, I have seen attendances on panels increase dramatically over a 10-year period. But, most of what we are serving is received as a stale stew.
We declare, "Look, nothing happened!" In terms of communicating value from our work, we are becoming more aware that it is a damaging contradictory proposition for our metrics dish to leave a "business prevention department" after-taste.
There are plenty of ingredients from which to choose: National Institute of Standards and Technology SP800-55 has been around for years. The analyst community has a large catalogue of possible metrics. Yet closer examination reveals the same old security and risk culture problems: measuring what
we can, not what we should, and presenting operational measures that lack a clear message to stakeholders. If your business is caring for the homeless, manufacturing widgets, or providing financial services, recommended measures — such as the percentage of systems compliance-audited this period or the number of viruses stopped at the gateway — mean nothing in the context of the business mission. Ultimately, as a business owner, I have no room for a grey area — either security is demonstrably supporting my organizational objectives, or I will forever see it as getting in my way.
There have been attempts to create a standardized menu for metrics chefs. The Security Metrics Consortium (SecMet) is one example of a soufflé falling flat. Now ISO 27004 (International Organization for Standardization) will give us a standard for measuring our Information Security Management System (ISMS). I don't yet know if it will be the recipe for a gumbo. But if it continues to measure security in any way that does not provide demonstrable traceability back to our unique business drivers, then once again we will serve up stale stew when what we really need is to have our customers come back for seconds.