[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
BHIMANI SAYS:
If a metric doesn't closely link with your objectives or tell a meaningful story about the firm's risk, stop monitoring it.

[IMAGE] [IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]

#4: Measure Security Objectives
You won't be taken seriously if you don't have a strong set of metrics.

But where do you start? Measure the things that you can measure, and be sure to understand the data you're collecting and how it relates to your objectives. (See "Security: Measuring Up.")

Performance metrics showcase the efficiency of specific groups: Did you deliver on your initiatives? What sort of improvements did you make? Did you meet your goal on time and under budget?

Compliance metrics look at policy exceptions: How many people have been through awareness training? How many vendors have you reviewed?

Risk and exposure metrics measure the security posture of the enterprise: How many vulnerabilities are there in the environment? When you put it all together and rank it in terms of severity, how are you doing compared to where you were yesterday? Where are the exposures?

It's vital to avoid common metrics pitfalls.

First, measure results, not activity. It doesn't matter how many events were logged at the firewall; metrics should actually provide visibility into the risk posture of the firm. If a metric doesn't closely link with your objectives or tell a meaningful story about the firm's risk, stop monitoring it.

Second, even good data is useless if you don't use it. Metrics are meant to measure performance today and to drive improvements tomorrow. They enable you to make decisions about where you sh...

#5: Spend Wisely
Security managers often complain that they don't have enough money, and that's partly true: As a percentage, security receives a comparatively small share of the overall enterprise IT budget. However, security is beholden to the same spending and ROI metrics as any other part of IT; you have to quantify a need for spending and then prioritize your resources. Budgets won't necessarily increase; you just have to practice better spending.

A certain level of security is well-understood as a cost of doing business, and people will always fund what they deem is necessary (electricity and air conditioning aren't profit centers, but we always find money for them). Metrics are key to security investments and ROI, because without them you won't know if you're properly allocating your precious security dollars, or if you're getting the intended benefit from that investment.

The C-suite will always seek alternatives to expensive new initiatives and will have your head if they discover a cheaper, just-as-effective resolution. By accurately projecting needs through metrics, you can minimize the costs of "necessary" bits while pushing for new initiatives.

#6: Know Your Limitations
Even with all the money in the world, you couldn't execute on every one of your security desires. Rather than juggling many long-term projects, divide your work into small, manageable tasks. This will allow you to achieve more goals faster and demonstrate security's worth to management.

From a risk perspective, base your security priorities on a list of potential objectives and evaluate them based on their achievability and ability to reduce risk. If an objective scores high in both areas, do it immediately; if it scores low, drop it. Prioritize the rest according to factors that make sense for you--logistics, cost, breadth of impact, etc. With this initiative, in addition to your daily operations, you'll have a solid plan for achieving your goals.

< PREV PAGE   |   1  |   2  |   3  |   NEXT PAGE  >