The nonprofit Center for Information Security (CIS) is planning to release guidelines to help companies better gauge the cost-effectiveness of their security programs.
IT managers are increasingly struggling to make effective security investments, according to CIS. The metrics, set for release in late October or early November, will be based on input form 80 private- and public-sector security experts.
IT managers are also under growing pressure from companies to prove security programs’ effectiveness, said Randall Gamby, an analyst at the Burton Group, a Midvale, Utah-based IT consulting firm.
CIS initially plans to roll out just a handful of “outcome and practices metrics,” according to the nonprofit. The outcome metrics will include two areas: mean time between security incidents and mean time to recover from security incidents. The practices area will cover a handful of subjects, ranging from the percent of systems that are configured according to policy to the percent of systems with anti-virus protection. The metrics will also come with a schema, clarifying issues including definitions and metric computation.
Later this year, CIS also plans to release a software-based service to help companies compare their security to other anonymous organizations in the same vertical market.
IT managers spend a significant amount of time on regulatory compliance, said Gamby. Security effectiveness, a broader area, is often overlooked, he said. Regulations also tend to lack prescriptive detail on the controls and processes companies employ.
One reason it’s been hard to create security metrics is that there are so many security products and ways to use them. Effective metrics are highly dependent on their alignment with broader business goals, he said.
Since its 2000 inception, CIS has launched 27 benchmark reports on software and system configuration. It’s also created scoring tools that analyze how well organizations meet the benchmarks. Both the benchmarks and the tools can be downloaded for free from the CIS Web site.