As an information security manager I am always struggling with how to measure the security posture of my organization. As they say, you can’t manage what you can’t measure. There’s lots of talk out there about ROI (Return on Investment) or ROSI (Return on Security Investment). These may be business numbers for the bean counters but what do these really mean to the security posture of the organization.
The CIS worked with over 100 team members from government, private and academic organizations to design a set of metrics designed to measure security processes and outcomes. The list below shows some of the business functions covered by the current suggested list of metrics.
- Application Security
- Number of Applications
- Percentage of Critical Applications
- Risk Assessment Coverage
- Security Testing Coverage
- Configuration Change Management
- Mean-Time to Complete Changes
- Percent of Changes with Security Review
- Percent of Changes with Security Exceptions
- Information Security Budget as % of IT Budget
- Information Security Budget Allocation
- Incident Management
- Mean-Time to Incident Discovery
- Incident Rate
- Percentage of Incidents Detected by Internal Controls
- Mean-Time Between Security Incidents
- Mean-Time to Recovery
- Patch Management
- Patch Policy Compliance
- Patch Management Coverage
- Mean-Time to Patch
- Vulnerability Management
- Vulnerability Scan Coverage
- Percent of Systems Without Known Severe Vulnerabilities
- Mean-Time to Mitigate Vulnerabilities
- Number of Known Vulnerability Instances
Take some time and visit the CIS metrics page or download the consensus security metrics (registration required). You may find some useful tools in building and supporting an information security program for your organization.
Thanks for reading & let’s continue to be good network citizens.