Information security metrics that work

Experts acknowledge that three or four years ago, using information security metrics amounted to security managers telling CIOs and CFOs "trust us, we need it."

"The security expert would come in with a stack of security incidents and try to justify a request based on fear. 'If we don't invest in this today, we will get hit with this new security threat and our networking is going to go down,'" said Tom Pisello, CEO of Alinean Inc., an ROI tools provider in Orlando, Fla.

Today, experts encourage security managers to use information security metrics and provide -- and CIOs to insist on -- estimates for factors such as the cost of downtime based on employee costs and lost sales, frequency of security incidents, benefits from automating manual security tasks and potential damage to a corporate brand. That data will help senior management determine where the value may lie in a proposed security expense. However, experts estimate that only 10% to 15% of companies do this type of information security metrics analysis.

"Let's say we're talking about vulnerabilities or spam; convert those operational metrics into business impacts," said Khalid Kark, senior analyst at Forrester Research Inc. in Cambridge, Mass. Kark said if a company can show that a filter, for example, stops eight pieces of spam per user, saving each user eight minutes that they would have spent dealing with that spam, the company can show what the filter saves in lost employee productivity.

That type of data will get the business side of the company to buy into a security initiative easier than raw numbers about the frequency of attacks and incidents, according to Kark. "It's important to p

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT/Business Strategies Key to customer service satisfaction: Simplify complexity The range of ITIL training tools and techniques and how they add value How to organize and train your staff for BPM project success SOA governance: How and why to build it into your SOA initiative Tips for integrating server virtualization in a private cloud CIO turns to identity and access management to solve business problem Cost reduction tips for your strategic sourcing contracts Using SaaS CRM for application integration gives users single sign-on Seven tips to improving enterprise data protection Tips for enhancing IT's role in improving the current economy IT spending and budgeting IT insourcing can bring jobs, cost savings back in-house, experts say Managing IT spending cuts: Don't take the easy way out, CIO advises SOA success stories involve business process management Best practices for managing IT and the recession Gartner's revised IT spending forecast: Decline exceeds that of 2001 IT leadership and strategy guides for CIOs Innovative financing strategies for IT bring big rewards for CIO Survey of IT leaders offers insights into 2009 IT purchasing plans IT support costs trimmed via workforce realignment, remote access tool Economic downturn hits IT budgets Return on investment Proven IT ROI strategies in an economic downturn Key to customer service satisfaction: Simplify complexity BPM software: How to find fast ROI on smaller projects IT leadership and strategy guides for CIOs Cost reduction tips for your strategic sourcing contracts Tips for enhancing IT's role in improving the current economy Unearthing the potential paybacks of enterprise risk management IT asset management focus drives Toyota Motorsport SaaS ERP software can deliver ROI, compliance for the enterprise IT ROI strategies guide for CIOs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ull together some sort of business impact. You have to have a business-centric report if it is going to business management," he said. One key element of communications with the business side and senior management is aligning information security strategies with the business goals, factoring in the amount of risk the organization is willing to take, Kark added.

One development in the past few years has been the availability of hard numbers to delineate what a company has to risk from a serious information security incident. "Now there are enough cases to look at … you can see the financial cost of computer crime hacking cases," said Gary S. Miliefsky, chief technology officer at security vendor NetClarity in Bedford, Mass. Miliefsky points to the Department of Justice listing of computer crime prosecutions and the dollar damages to victim companies as one reference source for security ROI calculations.

CIOs and security managers should factor in the average cost of salary and overhead for an employee and the waste when that employee isn't productive for a day or a week. He recommends that managers conduct quarterly reviews of the number of employees, the computing assets in the company and the organization's security costs. The security team should deliver that report to the chief financial officer. "Then, if you are asking for $3,000 to put a branch office behind a firewall, you can show what it costs if the 10 people in that branch are taken offline," Miliefsky said.

Pisello notes that one challenge in determining the cost of security ROI is identifying where security money is being spent in a distributed environment. While one or two security managers may set policies -- and be easy to account for within the security group's budget -- there may be hundreds of system administrators outside the security team who are spending a portion of their workweek carrying out those policies. That scenario may require an activity-based analysis for multiple departments, he noted.

James M. Connolly is a freelance writer based out of Norwood, Mass. He can be reached at jamesmconnolly@verizon.net.