SANS Institute outlines path to effective security metrics use
Metrics for security are in wide use in organizations today, with more than 80 percent of respondents to a new SANS Institute survey claiming some level of maturity on their effective use of security metrics.Yet close to half (47%) feel that a leading impediment for the effective use of security metrics is due to a lack of well-defined requirements for metrics.
"Metrics are – fundamentally – a communications tool, potentially very powerful in evaluating the maturity of an organization's security culture," said Barbara Filkins, survey author and Director of Research, SANS Analyst Program. "Regulatory frameworks are a starting point, but organizations need to look beyond a 'cookie cutter' approach and evaluate what needs to be measured to identify and mitigate business risk. Survey results were refreshing – supporting the need for mirroring organizational uniqueness – while providing actionable insight into how to meet the challenge of developing useful measures."