Pro+ Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
October 2009

Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way

Risk metrics were virtually non-existent three years ago when I took over as Kodak's global IT security and risk manager. The company's risk management process was cumbersome, time-consuming, inconsistent, and subjective; as a result, we were lacking a comprehensive picture of our security posture to the business. I wanted a security metrics program that not only supported the budgeting and investment process for IT security but also provided an "at-a-glance" view of the overall risk posture. I researched different risk models from the National Infrastructure Advisory Council (NIAC), the National Institute of Standards and Technology (NIST), and Microsoft SFT, and came away with the opinion that their models would not fit our requirements relative to management and overhead. I decided instead to rely on my previous business experience to develop our current metrics program: a tier-based approach to IT security risk management that uses a set of standard probability and business impact frameworks to provide a lean assessment ...

Access this Pro+ Content for Free!

By submitting you agree to recieve email from TechTarget and its partners. If you reside outside of the United States you consent to having your personal data transferred and processed in the United States. Privacy Policy

Features in this issue

Columns in this issue