Since I wrote the CSO pragmatic life there (OK, 4 years, but it feels like life), I've been evangelizing better quantify security programs. Even without context, quantification is valuable, but they are much more useful as a whole. If I was intensely to find against a set of similar societies to compare your settings, which provide needed context. Unfortunately, with the number of fires, that we must fight every day, people of more accurate security are not time to adopt measures.
This article focuses on why you should. Keep us account security measures at a high level of the Foundation, and then spend most of the article explaining what benchmarking offers to your security program and how to do it. A brief extract Executive Summary explains well:
A key aspect of maturation of our safety programs must be the collection of parameters of security and their use to improve business processes. Even those with broad security measures programs still have difficulty in communicating the relative effectiveness of their efforts - in large part because they have no point of comparison. When speaking of success/failure of any safety program, without Management main objective reference point has therefore no idea if your results are good. Or a bad thing.
Enter the reference for the security, which involves comparing your security settings to a group of peers from similar businesses. If you can get a whole broad enough consistent data (both qualitative and quantitative), then compare your numbers with this data set, you can get a feeling of relative performance. Obviously, it is the care must be exercised when sharing, but the ability to transcend "yellow" (not bad) identifying current and arbitrary issues as 'red' (bad), or "green" (a little better) allows us to finally have some clarity on the effectiveness of our sensitive data security programs. In addition, metric and reference data can be exploited internally to provide goals and illuminate the trends to improve key security operations.
Those of you who espouse quantification acquire an objective method to make decisions regarding your security program. No more black magic, Voodoo or hypnosis for your approved budget, OK?
The paper has a landing page, or you can download the document directly: Security Benchmarking: Going Beyond Metrics (PDF).
While you enjoy the paper, please send a thank you to nCircle for her licence.
-Rothman (0) Mike comments
0 comment:
Post a Comment