PRO+ Premium Content/Information Security magazine

Thank you for joining!
Access your Pro+ Content below.
October 2009

Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way

Risk metrics were virtually non-existent three years ago when I took over as Kodak's global IT security and risk manager. The company's risk management process was cumbersome, time-consuming, inconsistent, and subjective; as a result, we were lacking a comprehensive picture of our security posture to the business. I wanted a security metrics program that not only supported the budgeting and investment process for IT security but also provided an "at-a-glance" view of the overall risk posture. I researched different risk models from the National Infrastructure Advisory Council (NIAC), the National Institute of Standards and Technology (NIST), and Microsoft SFT, and came away with the opinion that their models would not fit our requirements relative to management and overhead. I decided instead to rely on my previous business experience to develop our current metrics program: a tier-based approach to IT security risk management that uses a set of standard probability and business impact frameworks to provide a lean assessment ...

Access this PRO+ Content for Free!

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Features in this issue

Columns in this issue