Are you using strategic metrics in managing IT risk?

If you have responsibility for any aspect of IT security or regulatory compliance in your organization, are you making use of metrics to help you determine your IT risk management strategy? If so, are you using them primarily to monitor the current security and compliance posture, or are you combining them in ways that provide strategic decision support?

These are questions I’ve recently been asking IT security and compliance managers, and I would like to hear your answers to these questions as well. Your feedback will factor into my participation on a panel discussing the topic of metrics in the management of IT risk at the upcoming RSA conference in San Jose.

I have greater interest in the subject beyond this panel, however. In recent years, a number of management tools have increasingly adopted a metrics-based approach to presenting quantitative information regarding the current security and compliance posture in a number of ways. Most of these appear to revolve around presenting domain-specific status summaries, such as the percentage of systems that have been patched against a known vulnerability, or that are in compliance with a specific policy provision. These are what I would term “tactical metrics.”

What I have not as yet seen so much of are tools that can help provide decision support in the strategic management of IT risk. I would call these “strategic metrics,” because they tend to combine factors into higher-level correlations of measurement in a number of ways. They may indicate the value of a security or compliance approach, solution or technique, which could help in the buying decision. They may identify IT or information resources which require a greater investment in risk mitigation because of the value they represent to the enterprise, or the level of risk they expose. While we have seen such metrics employed – in vulnerability management systems, for example – I have not seen them too greatly used directly in strategic decision support as yet.

Lack of consensus on meaningful metrics, and difficulty in quantifying risk are likely two of the most significant reasons. We don’t yet have anything even remotely approaching an actuarial approach for saying a certain type of risk poses a specific potential dollar impact, for example. The calculation of the ROI of a security or compliance expenditure is another area in which we must be very diligent in keeping to the most objective factors possible.

Useful examples of strategic metrics in IT risk management could appear in the development of tools that can measure the value of risk mitigation based on quantifying the contribution of IT resources to the business, as with revenue-generating applications, for example. Referencing existing information regarding the total cost of incident remediation is also a way businesses can justify an investment in preventive defense.

If you are leveraging IT risk metrics for decision support in managing your security and compliance strategy and priorities – particularly if you are using management tools to do so – I would very much look forward to hearing about how you’re doing it, and the value you’re receiving from your efforts.

And if you see me at RSA, be sure and say hello! I’ll be on the panel titled “ABCs of Security Risk Metrics Calculations: A Common Language,” taking place on Wednesday, Feb. 15 at 3:25 p.m. Check the RSA Web site for more details of the conference and the panel sessions.