Visibility and measurement are the very heart of security risk management. Without them it would be impossible to identify, assess and mitigate risks. They are also the key to effective process management. Identifying appropriate metrics ideally requires a consideration of the organisation’s business goals, strategies and compliance requirements, and the measures that could be used to prioritise activities and help prevent incidents.

Safety provides a useful analogy on how incidents can be prevented by monitoring near misses and correcting bad operating practices. Smart use of metrics, especially when coupled with powerful technology, underpins the development of effective governance processes by enabling management to ‘close the loop’ on policies and standards and apply continuous process improvements. Although not everything is measurable or knowable, with a little imagination and a modest budget suitable metrics can always be identified.

Enterprise-wide metrics systems, however, cannot be implemented overnight. They need to be developed over time, progressively adding new measures and refining existing ones. Priorities need to be assigned to ensure that the most vital metrics are implemented first. Metrics that help prevent potential attacks, support compliance audits or are needed to support a critical activity, should take priority. This paper presents a Top 10 list of the most important metrics in order to give organisations a head start in the design of their enterprise metrics system.

Written by David Lacey