Security metrics are widely used in organisations today, with more than 80 per cent of respondents to a new SANS Institute survey claiming some degree of maturity regarding their effective use of security metrics
Yet nearly half (47 per cent) feel that the lack of well-defined metric requirements is a leading impediment to the effective use of safety metrics. The survey’s results and analysis ‘Improving the Bottom Line with Effective Security Metrics’ will be shared in a two-part webcast on 12 August and 19 August, along with actionable advice.
Barbara Filkins, survey author and director of research, SANS analyst programme, said, “Metrics are – fundamentally – a communications tool, potentially very powerful in evaluating the maturity of an organisation’s security culture.
“Regulatory frameworks are a starting point, but organisations need to look beyond a ‘cookie-cutter’ approach and evaluate what needs to be measured to identify and mitigate business risk. Survey results were refreshing – supporting the need for mirroring organisational uniqueness – while providing actionable insight into how to meet the challenge of developing useful measures.”
John Pescatore, director of emerging security trends at SANS and survey advisor, said, “One of the top factors common across organisations that avoid major damage from cyberattacks is the use of business-relevant security metrics. The survey pointed out that, all too often, the most easily collected security metrics satisfy auditors but have little connection to reducing business risk.”
While analytics and data science are certainly important for the development of metrics, the survey concludes that more emphasis is placed on educating and training how to implement a metric framework, taking into account how organisations need to differ in achieving their security goals and objectives.