Measuring and Communicating Security's Value
eBook - ePub

Measuring and Communicating Security's Value

A Compendium of Metrics for Enterprise Protection

  1. 226 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Measuring and Communicating Security's Value

A Compendium of Metrics for Enterprise Protection

About this book

In corporate security today, while the topic of information technology (IT) security metrics has been extensively covered, there are too few knowledgeable contributions to the significantly larger field of global enterprise protection. Measuring and Communicating Security's Value addresses this dearth of information by offering a collection of lessons learned and proven approaches to enterprise security management. Authored by George Campbell, emeritus faculty of the Security Executive Council and former chief security officer of Fidelity Investments, this book can be used in conjunction with Measures and Metrics in Corporate Security, the foundational text for security metrics. This book builds on that foundation and covers the why, what, and how of a security metrics program, risk reporting, insider risk, building influence, business alignment, and much more. - Emphasizes the importance of measuring and delivering actionable results - Includes real world, practical examples that may be considered, applied, and tested across the full scope of the enterprise security mission - Organized to build on a principal theme of having metrics that demonstrate the security department's value to the corporation

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Measuring and Communicating Security's Value by George Campbell in PDF and/or ePUB format, as well as other popular books in Computer Science & Information Management. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Elsevier
Year
2015
Print ISBN
9780128028414
eBook ISBN
9780128028438
Topic
Computer Science
Subtopic
Information Management
Index
Computer Science
Chapter 1

Metrics Managementā€”It is Not About the Numbers

Abstract

Measuring is vital to enterprise protection, and this chapter provides a straightforward self-assessment tool that should help to establish where the readerā€™s program stands and what incremental improvements may be appropriate to a more mature content and approach. The chapter also outlines a six-step process for building or renovating a security metrics program. It then addresses some common concerns and provides ideas on how to resolve or move past them. The chapter also includes benchmarks that readers may find useful for calibrating their own directions.

Keywords

Actionable metrics; Assessment; Benchmarks; Corporate security; Corporate security officer; Data analysis; Enterprise risk management; Security metrics

Introduction

During the past several years, the more Iā€™ve worked with some really good security organizations to assess and develop their metrics programs, the more Iā€™m convinced that metrics isnā€™t about the numbers, itā€™s about measuring performance of people, process, and performance. Donā€™t get me wrong: We need to build and maintain lists of numbers, but this is just the beginning of the work. Like a smart colleague of mine says, ā€œItā€™s just counting nails.ā€ What do these numbers mean? What story do they tell, what action is requiredā€”and by whom?
This first section is focused on metrics program management in three parts. It begins with a metrics program assessment that can affirm a mature program or direct remedial action on perceived shortcomings gleaned from an honest self-evaluation. I recommend this process to the reader regardless of your level of accomplishment in our craft.
Measuring your various programs is not something extra to do. It is a key element of management and an expectation of your position.
The next section sets forth a six-step process for putting to work what you have gleaned from this self-assessment and using the data you have waiting to be mined. Building a security metrics program keyed to the unique needs of your company is not about incident reports and spreadsheets full of activity and event data. These are just the fuel that powers the analysis and judgment that yield your metrics. You have the data. You have the ability to tell powerful stories that can influence business strategy, corporate policy, and have a measurable impact on risk. But those stories and that ability to communicate with impact are the products of a well-established connection to the business and a disciplined process of data and information management. The steps briefly outlined in this chapter are both proven and just plain common sense.
The third and final section in this management review is a discussion of my sense of the state of the art regarding corporate security metrics. Note the emphasis. There are some outstanding books on information security metrics but very few on the portfolio of work confronting the corporate Chief Security Officer (CSO). I lean on some benchmarking results along with an assembly of excuses Iā€™ve heard over many yearsā€”they are excuses Iā€™ve said myself and then had the audacity to complain about when I heard them from others who continue to labor at this business of corporate security.
Chapters 2 and 3 will delve into various examples of security programs and their measures and metrics.

Metrics Program Assessment

Much of what follows in this book is focused on examples of security management challenges and opportunities, and the role and contribution I see for measurements and metrics. But I think it is important to level-set where you stand in terms of your programā€™s status, whether you are reading this as a security executive with a solid metrics program, one desiring to reinvent or build a body of security metrics, or perhaps as a student of the discipline. In working with scores of corporate security organizations over the past decade, Iā€™ve found that there are about a dozen questions about the organizationsā€™ metrics programs that effectively serve to focus the manager on developmental priorities. I included this material in the second edition of my first book on measures and metrics, but repeating it here is a logical beginning to my new work, and helps us consider the potential value of the examples that are discussed throughout.
The following metrics self-assessment tool walks security managers through a number of questions about how they would rank their programā€™s maturity. Take an honest look at each of the descriptions and see how you would assess your current security metrics program. If you think carefully about the questions and your assessment compared to the alternatives, I think you will find a roadmap for targeted improvements.
What is the business case for your security organization and how do you want it measured? What are the quantifiable measurements that ought to apply to managementā€™s assessment of value? How would you grade your measurements and metrics?
You can work this assessment on your own if you are a sole practitioner. But if you have a team of managers leading various programs and functions, it would be advisable to develop this as a team exercise. It will get everyone (hopefully) on the same page, and will help to chart your programā€™s strengths, weaknesses, opportunities and threats (SWOT). This self-assessment is a precursor to the metrics construction process that takes the reader through six steps in building a program. Use it to leverage your strengths and opportunities and note where each of the steps offers an approach to mitigating your weaknesses and threats.
Metrics Self-assessment Tool
Review and fill in the attached self-assessment questionnaire. Select the one statement in each section that best suits your metrics program, and designate the current level of accomplishment for your selection. For example, if you selected 1.2 Management is beginning to seek performance measures and metrics from security, a Level 1 would indicate you are at the earliest stage of response to this need. If none fit the bill, insert your own selection as noted.
Key Metrics Program IndicatorsMaturity Level
1. Organizational ContextLevel 1Level 2Level 3
1.1. Metrics are an accepted element within selected business operations but have not been requested from security.
1.2. Management is beginning to seek performance measures and metrics from security.
1.3. Performance measures and metrics are a required element of program management.
(Insert your own performance indicator if not listed or adaptable above).
2. Current Status of Metrics Within the Security Depar...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. About the Author
  7. Foreword
  8. Special Thanks
  9. A Short Story To Set The Stage
  10. Some Notes to the Reader on Using This Book
  11. Chapter 1. Metrics Managementā€”It is Not About the Numbers
  12. Chapter 2. Quantifying & Communicating on Enterprise Risk
  13. Chapter 3. Measuring Security Program Performance
  14. Index