This month I published a new report on information security metrics,
best practices as well as a maturity model to measure your maturity in
the reporting process.
This report outlines the future look of
Forrester's solution for security and risk (S&R) professionals
looking to build a high performance security programme and organisation.
We designed this report to help S&R pros develop and report the
appropriate security metrics for their security organisation. Security
metrics are a key initiative for chief information security officers
(CISOs) today, but many struggle with picking the right metrics.
CISOs use a broad-brush approach, using operational metrics to
demonstrate security. The problem with this approach is that most people
don't understand what the metrics are saying, and they don't understand
how these metrics make their lives easier or harder. Good metrics are
easy-to-understand, incite actions and change behaviour by providing a
clear idea of why the audience cares.
When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behaviour change and improve performance.
Take a look at these links:
Posted by Edward Ferrara