Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

3/16/2015
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

10 Ways To Measure IT Security Program Effectiveness

The right metrics can make or break a security program (or a budget meeting).
Previous
1 of 10
Next

As CISOs try to find ways to prove ROI to higher ups and improve the overall effectiveness of security operations, the right metrics can make or break their efforts. Fortunately, infosec as an industry has matured to the point where many enterprising security leaders have found innovative and concrete measures to track performance and drive toward continual improvement. Dark Reading recently surveyed security practitioners and pundits to find out the best time-tested metrics to prove security effectiveness, ask for greater investment, and push security staff to improve their day-to-day work.

Average Time To Detect And Respond

Also referred to as mean time to know (MTTK), the average time to detect (ATD) measures the delta between an issue occurring—be it a compromise or a configuration gone wonky—and the security team figuring out there's a problem. 

"By reducing ATD, Security Operations Center (SOC) personnel give themselves more time to assess the situation and decide upon the best course of action that will enable the enterprise to accomplish its mission while preventing damage to enterprise assets," says Greg Boison, director of cyber and homeland security at Lockheed Martin.

Meanwhile, the mean time to resolution or average time to respond, will measure how long it takes for the security team to appropriately respond to an issue and mitigate its risk.

"Average Time to Respond (ATTR) is a metric that tells SOC management and personnel whether or not they are meeting objectives to quickly and correctly respond to identified violations of the security policy," Boison says. "By reducing ATR, SOC personnel reduce the impact (including the cost) of security violations."

Tracking these two metrics continuously over time can show how well a security program is improving or deteriorating. Ideally they should be growing smaller over time.

(Image: Freeimages.com)

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 10
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/17/2015 | 8:44:18 AM
Vulnerability Assessment
Many of these ways focus around and IRT(reactive) and Vulnerability Assessment Process(both proactive and reactive). These are two reactive measures that if handled effectively can increase an organization's security posture expontentially. However, many organizations do not employ these effectively. The reasons for this vary, bandwidth, personnel, expertise, etc. This is why sometimes outsourcing to an MSSP is beneficial. This argument can be made using the statistic aggregation denoted by this article.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14540
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-16332
PUBLISHED: 2019-09-15
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
CVE-2019-16333
PUBLISHED: 2019-09-15
GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.
CVE-2019-16334
PUBLISHED: 2019-09-15
In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories -> Add New Category -> Name field. NOTE: this may overlap CVE-2017-16636.
CVE-2019-16335
PUBLISHED: 2019-09-15
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.