How to Measure the Performance of Your Information Security Program

Thanks to Cloud Computing, Mobile Device Management Is Here to Stay
16th July 2016
The Truth about Threats, Vulnerabilities and the Resolution of Cyber Security
18th July 2016
Show all

How to Measure the Performance of Your Information Security Program

Any business on any given day can be compromised. That’s the reality of information security. Attacks may be targeted or the result of automated scans. The attackers may be sophisticated programmers or “script kiddies” who purchased an attack toolkit on the internet. With so many threat vectors to defend against, enterprises are expending capital on security technologies at an increasing rate. But buying a technology alone, does not provide protection. The correct deployment of that technology is essential.

PwC’s 2012 Global State of Information Security Survey revealed that a vast majority of executives are confident in the effectiveness of their infosec practices. Respondents included readers of CIO and CSO Magazines and clients of PwC from 138 countries. The survey included more than 9,600 responses from COs, CFOs, CSOs, VPs and Directors of IT and Security on more than 40 questions on topics related to infosec and its alignment with the business. Overall, respondents believe they have an effective strategy in place and that their organizations are proactively executing it.

Enterprises Make Information Security an Integral Part of Their Business Planning

  • 63% of respondents reported they had information security strategies in place within their companies. 40% of those have both a strategy in place and taking proactive steps to execute on it. 23% just have strategies in place. 16% focus more on tactics than strategy and 21 % react to issues as they arise;
  • 35% of respondents said they are very confident and 37% are somewhat confident that their information security practices are effective;

It is promising that so many enterprises already have strategies in place. However, companies should be cautious not to develop an overinflated sense of safety. It is essential to keep a close eye on measuring, monitoring and updating these strategies regularly, and ensure that technologies are being deployed correctly.

Measuring and Monitoring Information Security Performance

Information security performance measurement should be a system of measuring, monitoring and reporting infosec governance metrics. The development of such an assessment framework is essential to the evaluation of the effectiveness of Security Governance.

Some example metrics might include:

  • Number and type of security incidents
  • Number of systems where security requirements are not met
  • Number and type of suspected and actual access violations
  • Number of unauthorized IP addresses, ports and traffic types denied
  • Time to approve, change and remove access privileges
  • Number of access rights authorized, revoked, reset or changed

As technology advances, so does the complexity of cyber-threats. Executives must remain aware of the real risks their companies face. These threats impact not just the company’s critical information, but also sensitive customer data. Without an accurate perspective, top management could develop a false sense of safety over a situation that could have significantly negative business impacts.

Leave a Reply

%d bloggers like this: