Security Metrics Need to Show That Things Are Getting Done
- Metrics that are most useful to the CEO relate to how far along the program is in achieving its goals.
- Security is more than just an operational cost. It’s also increasingly becoming a business enabler.
“The CEO wants to know whether a process is or is not implemented and if not, where in the implementation cycle it is”
There’s no simple answer to “How secure are we?”. The answer invariably depends on the maturity of an organization’s approach to its security strategy. Companies need to establish a baseline measure of their security posture so that they can see how that baseline changes over time. “We do a baseline assessment, which gives a weighted scoring of 0 percent to 100 percent on where we are with different functional and technical areas,” explains Charles Tholen. “Then, we can provide follow-on reports either after significant events or on a periodic basis.”