Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
What Questions Should I Keep in Mind to Improve My Security Metrics?
If you can answer these six questions, you'll be off to a great start.
Question: What questions should I keep in mind to improve my security metrics?
Joshua Goldfarb, independent consultant: Security metrics is an area most organizations understand the importance of, but few do well in. While improving security metrics is a complex problem that requires a significant time investment, here are six questions to consider when looking to do so:
• Who is your audience? Before you can design and implement meaningful metrics, you need to know who they're for.
• So what? Measure what matters. If your audience is not interested in what you're measuring, it's of no value.
• Do you need all of that detail? Less is more. Report what answers the questions your audience wants you to answer. Anything beyond that reduces clarity and introduces confusion.
• Have you mapped to controls? Mapping metrics to controls allows us to more accurately measure risk within the organization.
• Are you reporting metrics regularly? Metrics are most valuable when they are living and dynamic, rather than snapshotted and static.
• Do you refine metrics? As metrics begin to lose their value or become less relevant, they must be adjusted or removed.
Related Content:
About the Author
You May Also Like