***** Security Metrics: Replacing Fear, Uncertainty, and Doubt. By Andrew Jaquith; published by Addison-Wesley Professional; www.informit.com (Web); 336 pages; $49.99.
Andrew Jaquith has provided IT security professionals with a comprehensive guide to capturing security metrics that, if followed, will help them demonstrate return on investment to decision makers in the executive suite.
The book opens with a discussion of the so-called “hamster wheel of pain” on which the typical risk manager runs and runs without getting anywhere. That, Jaquith says, is the result of traditional metrics, which merely (support) “the existence of the vendor’s products.” He insists that performance should be “consistently measured” and “expressed as a number or percentage.”
The reader is taken step-by-step through the issues that merit consideration when gathering such metrics. The author uses charts, graphics, case discussions, and lessons-learned to illustrate a collection of metrics that delivers consistent, clear, and concise information.
Jaquith offers insight on various methods for gathering, recording, and presenting metrics so they are easily consumed. For example, he discusses how firewall and systems logs can assist in providing a complete picture of security metrics, and can complement other data-gathering tools. Jaquith also names some of the software tools that aid in metrics collection.
While most chapters provide checklists, a single, all-inclusive checklist at the end of the book would have been helpful, especially for managers who need to jump-start a gasping metrics program.
Written in conversational style, Security Metrics would be accessible even to an IT security neophyte. Yet it is a must-have for anyone serious about gathering IT security metrics that will have an impact in the boardroom.
Reviewer: Will Morrison, CPP, is a security management professional with NASA and a 30-year veteran of federal service, including work as an information technology security manager. He is a member of ASIS International.