The emphasis on metrics
As companies seek to reduce th bottom line costs and increase efficiencies, the reliance on metrics increases. Information security departments are often thought of as an overhead and drain on the bottom line and this are striving to product metrics to support their distance. This striving to show value through metrics is a doubl died sword.
On the plus side, metrics can indicate positive performance in the effort to increase the overall security posture of Enterprise.
Such metrics can be the number of tickets closed by an administrator, or he number of incidents reviewed by an analyst.
On the negative side, there can be a tendency to drop important tasks which can be hard to show metrics on and concentrate on routine tasks which are easy to produc metrics on but in reality do not enhance the overall security of the enterprise.
The incident metrics often do not reflect the complexity of each incident or the result of the investigation. This can not easily be quantified and thus an emphasis on numbers and not on quality has a negative impact on the enterprise security posture.
So in summary, Metrics can be good or bad and the decision on which metrics and level / quantity of each metric needs to be carefully discussed before implementation.
DISCLAIMER: These at the authors personal views and not necessarily those of his employer.
S. Russell Dyer
BS CNE CISSP CRISC Security+ CICP
Security Analyst, And Dad to Makayla, Tristan and Michael.
No comments:
Post a Comment