The Difficulty in Measuring the Performance of Infosec

Thursday, October 13, 2011

Rafal Los


The Difficulty of Measuring the Performance of Information Security

Information Technology is all about measuring performance, in business context.

For organizations like the networking team, measuring bandwidth utilization, link performance, and capacity are critical to helping the business understand which strategies are working, and when when network capacity should be increased amongst other things. 

In the systems management world, it's about performance of a system, deployment consistency, and uptime - metrics that can be quantified from monitoring and logging. 

This pattern repeats for applications and critical business systems, and just about every other component of information technology... except, it seems, Information Security.

While Information Security has gotten relatively good at measuring the number of port scans it stops, self-propagating worms and brute-force password hacking attempts, and even the number of application security defects that are identified and mitigated - it's still a relatively dark art to relate these metrics back to the impact to the business

When a specific network link the company relies on to do $100 million dollars of buiness/day is out for a day, the cost to the business is $100 million dollars... that's relatively easy to quantify, so measures are taken to prevent outages, delays and slow performance so as to not impact performance to the business. 

But, when it comes to relating the number of cross-site scripting defects in an application, or blocked malicious attachments in email - it seems that CISOs are having a difficult time quantifying how security practices, policies and expenditures are having a a positive impact to the business.

There's no magic to the process of divining KPIs from mountains of seemingly technology-interesting but business-useless metrics, but odds are some of your peers have already done this successfully, so we're working on bringing people together who have successfully figured out how to quantify "IT Performance" as a business value. 

I will keep writing on the topic, and the "Down the Rabbithole podcast" will have a few upcoming episodes about the topic as well... and you can always keep track of what's going on in the LinkedIn (SecBiz) group... but now there's one more resource from HP!  If you're interested in learning how your peers and colleagues are finding value in IT

Performance, and relating IT Security to it... check us out by following the links provided here ...and remember that if you don't participate and speak up, others cannot learn from your successes and failures... and everyone loses.


Cross-posted from Following the White Rabbit
Possibly Related Articles:
Enterprise Security
Information Security
Application Security Performance Information Technology metrics Infosec Business Impact
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.