Security and compliance risk metrics

Last week, I talked about the emergence of metrics in the management of IT risks. I asked for your feedback, and (thank you all very much!) I’ve already gotten many interesting responses from readers and IT practitioners.

Although what I wrote about last week was the increasing use of metrics in the management of security and compliance risks, it should be pointed out that IT risk management is a much broader topic than security and compliance alone, and touches on areas such as project, technology and investment risks. IT governance initiatives address another aspect of IT risk, mitigating exposures through a systematic integration of people, process and technology controls.

When it comes to the evolution of metrics, however, one of the most active areas of interest today is in the use of metrics in the management of IT security and compliance risks – a trend influenced in no small way by the increased adoption of best-practices governance models such as those mentioned above, as well as control frameworks for satisfying regulatory compliance requirements. These systematic approaches tend to favor objective measurements of conformity which encourage metrics-based measurement.

I mentioned last week that I see IT security and compliance risk metrics falling into two broad categories: tactical metrics, which contribute to measurement of the current risk posture such as numbers of systems, network points and users in compliance with a given policy or standard; and strategic metrics that combine higher-level correlations of metrics that guide decision support in developing a security and compliance management strategy. Readers offered several examples of each, and among the most interesting to me were those that achieve an elusive goal: the use of performance-based measures in security management.

While network availability measurement can (and must) be performance-based, security metrics tend to be more asset-focused, such as measuring the types of defenses in place or numbers of systems protected against a specific threat. Response time, however – in dealing with security events or applying countermeasures to an emerging threat, for example – is a security performance measure that can add significant value to measurable service level management (SLM).

Performance-based metrics like these, however, still tend to be more in the tactical category – unless they can be used to support security and compliance strategy decisions. Not coincidentally, managed security service providers (MSSP) have capitalized on that strategic opportunity. The sophisticated tools and expertise available to an MSSP are often outside the reach of what their customers can maintain – and, just as importantly, retain – in-house. These quantifiable asset-based measures can be delivered with measurable performance in response and remediation. Financial savings can be measured against the cost of maintaining assets and expertise that deliver the same degree of value.

Of course, we could go on indefinitely about security and compliance risk metrics – and I’d like to invite you to do just that, at a new Web site devoted to this topic, where I invite you to respond to a poll asking visitors what categories of strategic metrics they value most. Because of the relationship between risk metrics and service level management, this new site will be hosted by the SLM-Info community. Registrants will be able to see up-to-date poll results, and additional studies will likely be featured in the future. We would welcome your input on topics you’d like to see addressed.

If you’ll be at the RSA Conference in San Jose next week, I also invite you to a panel I’ll be on, where Gidi Cohen of Skybox Security, Dan Geer of Verdasys, Preston Wood, CISO, Zions Bancorporation, and John Meakin, group head of information security for Standard Chartered Bank, will join me to discuss “ABCs of Security Risk Metrics Calculations: A Common Language,” Wednesday, Feb. 15 at 3:25 p.m. The conference Web site can provide you with details of the panel sessions.

Your responses to the poll here will have an influence on this panel discussion, so I encourage you to visit the Web site and participate.