Intelligent CIO Middle East Issue 25 | Page 17

LATEST INTELLIGENCE 2017 TRENDS IN SECURITY METRICS AND SECURITY ASSURANCE MEASUREMENT REPORT A SURVEY OF IT SECURITY PROFESSIONALS M ost managers today have heard one or more variations of the old adages “What gets measured gets improved,” and “You can’t manage what you don’t measure.” Few, if any, business managers today, including IT security leaders, would dispute the idea that finding a way to measure and track performance has enormous benefit. However, while the idea of measurement seems simple on the surface, and is almost universally acknowledged as a good business practice, applying the notion of measurement to IT security programmes can be very challenging. Security metrics can help IT security teams measure the effectiveness of IT controls and demonstrate compliance with internal security policies, governance frameworks and regulatory requirements. Security metrics can also be used to diagnose problems, identify weak links in your security posture, facilitate benchmark comparisons and drive performance improvement. And last, but most certainly not least, security metrics can be used by IT security teams to show business executives and boards how existing and planned IT security programmes align with business needs. When it comes to IT security assurance measurement, it may be surprising that even in such a highly technical and data-oriented field as security, it’s not always clear how IT security metrics can and should be used to measure the performance of IT security programmes. What approaches are IT organisations taking today in terms of security metrics collection, reporting, and usage? Who are security metrics shared with and how often? n Download whitepapers free from www.intelligentcio.com/me/whitepapers/ www.intelligentcio.com INTELLIGENTCIO 17