Security Metrics Must Demonstrate Effective Security Governance
- The executive committee is interested in the anticipated outcomes of resource allocations.
- There are instances where security teams deal in qualitative evaluation, but remember that the executive committee wants quantifiable answers based on quantitative metrics.
“When making a security presentation, it’s important to tie security initiatives to the CEO’s initiatives and the organization’s overall goals.”
As Roota Almeida points out, “In today’s world, no one can assure 100 percent security.” The issue is not whether your organization will be breached but when it will be breached and how you respond. In the past, security teams heavily focused on preventing penetration into systems that contained sensitive data. Although that continues to be important, today more emphasis is placed on better detection and mitigation. “After they get in, how quickly we can detect them and mitigate the damage are what really matter,” explains Almeida.