Security Metrics and Management
Risk-based security and compliance management solution TripWire released results of a study which examined the metrics that IT security professional used most frequently to gauge the effectiveness of the overall security efforts of their organization.
In the compliance arena specifically, leading metrics included mean time-to-patch (49 percent); policy violations (33 percent); and reduction in audit findings and repeat findings (27 percent). The Tripwire study also found that only 19 percent of respondents viewed the number of records or files detected as compliance infractions, and only 16 percent identified reduction in expired certificates — including SSL and SSH keys — as an effective metric.
“There’s a strong correlation between security products and metrics,” noted Tim Erlin, director of IT and risk strategy for Tripwire. “Organizations most often build security metrics programs from the data up, rather than the business down, resulting in metrics supported by available security products, rather than focusing on those metrics that are meaningful to the business.”