Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

05:32 PM

Five Strategic Security Metrics To Watch

Is your security program paying off for the business? Here are five high-level metrics that the executive suite needs to watch

Information security specialists like to argue over a lengthy list of possible metrics to measure their systems' security posture.

For managers and executives, however, the picture needs to be simplified to a less controversial collection of measurements. While security administrators focus on technical metrics, managers and chief security officers have to focus on how IT security interacts with business, says Kevin Lawrence, senior security associate with IT security consultancy Stach & Liu.

"Everything comes down to whether the business impact is worth the security reward," says Lawrence. "It does not makes sense to close a vulnerability if you can't then do business."

Earlier this month, industry experts weighed in on their top-5 metrics for tactical security, such as identifying dark parts of their own network and the total attack surface area. In interviews, analysts and security professionals offered a higher-level, more strategic mix of metrics to measure as well.

While some of these metrics may not directly correlate to security, getting high marks means that a company has a good level of control over its systems, network and data -- and that means security, says Andrew Jaquith, chief technology officer of security services firm Perimeter e-Security.

"Running a tighter shop, with more control, is always good for security," he says. "It means that you can react very quickly if you have to change something."

Here are five security metrics to track for businesses.

1. Keep up with the Joneses
A starting point for many companies is whether they are spending as much as the median firm in their industry. In 2012, security is expected to account for 7 percent of information-technology budgets as a whole, according to business intelligence firm Forrester Research. The number varies by industry with financial services tending to spend more, and healthcare and manufacturers spending less.

"If your industry partners are spending six percent of their IT budget on security and you are spending two percent, that's probably an issue," says Stach & Liu's Lawrence.

While the metric does not indicate how well companies are spending their security dollars, it is a good high-level measurement.

2. High-performance patching
Keeping track of how long it takes to apply a patch to all corporate systems is another critical metric, says Perimeter's Jaquith. Measuring patching latency puts the premium on speed and that's what important. A week or less is best, he says.

"Patching is not everything -- there is a lot of zero-days out there," Jaquith says. "But there is an exceptionally high correlation between exploits in the wild and vulnerabilities that could be patched."

While patching is not necessarily equivalent to security, it's an indicator of whether a company has good control over its systems. A company that patches quickly is likely far more aware of vulnerabilities and the state of its systems' security, he says.

"It's not so much whether patching solves your problem, but it is a key performance indicator of whether or not you are running a tight shop," Jaquith says.

3. All the same, more secure
For many companies, keeping systems up-to-date with a standard image allows their workers to more efficiently maintain and secure the dozens, or hundreds, of software programs on each system. Standardization can also help companies ensure that all their systems comply with any regulations that affect the business.

For that reason, tracking the proportion of standardized systems can give an indication of the effort required to secure information assets, says Stach & Liu's Lawrence.

"If you have 100 different computers in your environment and only 80 are standard, then you have a pretty big gap there that you need to close," he says.

4. Checking off the boxes quickly
Companies have to comply with an increasing number of regulations or mandates from their clients and customers. Measuring how quickly the business's workers check off the most critical boxes is a good measure of security operations as well, says Perimeter's Jaquith.

"This is good from a project planning standpoint, which helps you understand how well you can handle your security initiatives," he says.

Because most IT security teams are overwhelmed with lists of to-do items, the best metric is to only focus on only the most critical issued found during an audit -- "the ones marked in red," Jaquith says.

5. Tame the Cowboy Infrastructure
Finally, companies that have frequent emergency patching and maintenance issues -- not to mention downtime -- are generally less secure, says Jaquith. Emergency changes are typically an indicator that the infrastructure is not well managed, he says.

"If 50 percent of your changes are done as emergency changes and not in your typical maintenance windows, you have a cowboy infrastructure," he says. "And cowboys do not lead to good operations, and more importantly, they don't lead to secure outcomes."

Most organizations have scheduled downtime or maintenance windows for backing up, patching and other activities. Keeping any activity that could impact security in those windows indicates that security and IT teams are planning adequately.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/27/2012 | 7:34:02 AM
re: Five Strategic Security Metrics To Watch
Good to know about the- Five Strategic Security Metrics To Watch
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...