The Center for Internet Security is devising new metrics that companies can use to evaluate their security status, including measuring how many systems are properly patched and how long it takes to recover from a security incident.

CEO Bert Miuccio says the non-profit group, which crafts software implementation benchmarks, intends to publish its enterprise security metrics by year-end.

"There have been metrics defined in the security community in the past, usually lists of things to be measured in terms of security, such as technical [attributes], people and processes," Miuccio says. "But there's still a struggle to understand the value of security investments, in terms of outcomes, to determine the security status of an enterprise."

Miuccio says the security benchmarks the Center for Internet Security is working on will be "unambiguous." They'll revolve around eight principal topics:

•  Mean time between security incidents.
•  Mean time to recover from security incidents.
•  Percentage of systems configured to approved standards.
•  Percentage of systems patched to policy.
•  Percentage of systems with antivirus.
•  Percentage of business applications that had a risk assessment.
•  Percentage of business applications that had a penetration or vulnerability assessment.
•  Percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

Miuccio adds that the Center for Internet Security will continue its work producing benchmarks for software security. New benchmarks for secure configuration of Microsoft Office and SharePoint, print drivers, the open source Tomcat application and the three Web browsers Internet Explorer, Opera and Firefox are to be published in the fourth quarter as well.

Some organizations view security metrics as a way to show evidence of secure practices to both themselves and business partners.

Pacific Gas & Electric (PG&E), for example, elected to use what's called the Information Security Assurance Capability Maturity Model (IA-CMM) developed by the U.S. National Security Agency.

"The purpose of the IA-CMM is to gauge an organization's effectiveness in delivering security to its clients, meaning anyone who uses its services," says Seth Bromberger, manager of information security at PG&E. IA-CMM calls for a tough exam by an authorized outside firm to evaluate an organization's security as documented and executed.