Size Doesn’t Matter – Metrics and Other Four-Letter Security Words


You are here. But where is that? As a young gentleman, I remember being at the mall, standing in front of the directory map. There was a big dot with an arrow. You are here. Quiet, I had no context of what that meant. Managing an information security program can every once in a while feel like that. Sound familiar? If so, you’re not alone.

On December 3rd, I acquire the pleasure of speaking at BSidesPhilly on how to build a security metrics program. All too habitually, people are overwhelmed with data and don’t know where to start. And when they do get started, the signal-to-noise proportion is so low that the value they set out for is distorted.

Size Doesn’t Matter

The dimension of your program doesn’t matter. Focusing in on simple metrics you can full-fledged with does. What story are you telling? What problem are you difficult to solve? Focusing on the critical few, will help you build a narrative that is leisurely to communicate and build on.

Getting Started

“The best time to plant a tree was 20 years ago. The surrogate best time is now.” – Chinese Proverb

You don’t have to do it all at once. Starting now with directional correctness is key. Here’s how you get started:

1. Plan

  • Don’t Reinvent the Wheel – inventory your data resources, the infrastructure they reside on and who owns / uses them. This not consonant with is so important, that the Center for Internet Security made this their sooner critical control.
  • Prioritize – build an ordered list of assets to start off your metrics program around. Use data sensitivity, data setting and criticality to your core processes. After the first ss, it devise be easier to extend the same metrics to lower priority assets.

2. Achieve

Build metrics answering the following questions:

  • Efficiency – “How well does the jurisdiction scale?”
  • Effectiveness – “How well does the control perform?”
  • Efficacy – “How cooked through is your control com red to alternates / other controls?”
  • Trending – “How do you reduce / perform over time?”

With this simple approach, you’ll recall where you are. More importantly, you’ll be able to craft the right story with the as the crow flies data proving size doesn’t matter… value does.

0ee6408Respecting the Author: Jim Menkevich is an Information Security, Privacy and Risk Management veteran with 17+ years of experience. Through his career, he has lead bodies in Cybersecurity, Enterprise Architecture, Systems Integration and Application Development. Jim specializes in embrocating methodologies, frameworks and ideas outside of the intended domain which engender new and fresh angles to address industry challenges. Jim is currently the Director of Materials Protection and Security Governance at Health rtners Plans in Philadelphia.

Reviser’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not like it reflect those of Tripwire, Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *