We have previously addressed how difficult it is to develop metrics that are not only reliable but also valid and have a strategic focus – meaning C-level executives do care about getting such numbers that relate to matters the care about (e.g., new markets, strategy, bottom line):
- CyTRAP Labs – guide – developing IT security metrics that work for you
- Security metrics and audits – spreadsheets are full of errors as we know
- CyTRAP Labs – 10 reasons for why information security makes economic sense
As we all have learned, getting attention (and budget) from top executives such as risk
managers, CFOs, and CEOs, means creating metrics that help measure the
value of the security effort. The Conference Board (sponsored by the U.S. Dept. of Homeland Security) surveyed 213 senior corporate executives working for a broad range of U.S. enterprises. Results show:
- 64% felt that the cost of business interruption was the most helpful metric,
- 60% thought vulnerability assessments helped release resource to remedy the problem, while
- 49% felt metrics based on benchmarking the firm against industry standards,
- 43.5% thought the value of the facilities and
- 39% the level of insurance premiums helped them getting attention from C-level executives.
One always has to take these findings with a grain of salt because some things are a bit confusing. For instance, 60% of executives are willing to provide more resources for a metric that provides them with information regarding vulnerabilities. Unfortunately, this does not stop the same individual to continue using software that might be a bit more vulnerable than they will surely like:
- How do browsers stack up securitywise? Open source, others and Internet Explorer
Nonetheless, the study is another piece of research that indicates that security must be aligned on operational risks or operations to gather the necessary support to secure resources needed to address the problems. In other words, outlining how a potential mishap or disaster affects business operations makes things clearer for C-level folks and gets their attention.
_Methodology and Sample
Senior c-level execs were interviewed using an online survey between 2005-06-20 – and 2005-08-31. No invitations were sent to people involved with security and risk management such as CIOs or Risk Officers since the intent was to find out how receptive other managers were to security concerns. 213 participated (the study does not provide the response rate so any halo effects are unkown).
The study does not provide you with a list of questions (e.g., in an Appendix) which would have been helpful to assess the study a bit better. Also, it might not tell many of you many new things but confirm, instead that you are not alone out there with how you see the world.
The above study might tell you little if anything new, nonetheless, it is an interesting read and indicates that there is still much work to be done.
No Responses to “Security metrics – do you know what your boss wants?”
There are no comments yet...Kick things off by filling out the form below.