Information Security Blog

Making Your Security Metrics Work For You

Recently, I came upon a blog post on TechRepublic titled, “Why security metrics aren’t helping prevent data loss,” which explores why data losses continue to increase despite the introduction of security metrics to help achieve information security goals.

The TechRepublic post cites some key findings from a large-scale survey on “The State of Risk-Based Security Management” conducted by the Ponemon Institute. The results indicate that:

  • The vast majority of respondents agree that metrics are “very important” (about 50%) or “important” (about 30%) in “achieving a mature, risk-based security management process.”
  • However, more than 50% of respondents said no or were unsure when asked whether their security metrics aligned with business objectives.
  • More than 50% of respondents said they were not effective in “communicating all relevant facts about the state of security risk to senior executives.”
  • When asked why they felt metrics weren’t aligned with business objectives, 50% or more of respondents felt that 1) the information is too technical for non-technical management to understand; and/or 2) More pressing departmental issues take precedence over security metrics discussions .

The report concluded that security professionals must “find or create metrics that are more broadly understood by business leaders,” and do a better job communicating about them. A little fine-tuning is often all that’s required to create useful metrics that are well aligned with IT security goals and can drive action towards continuous improvement.

The ISO 27001 standard requires that metrics be in place to measure the effectiveness of security controls. Pivot Point Security helps many businesses achieve ISO 27001 certification, so we work closely with clients to help them get their metrics right.

In my experience, almost every client is excited to finally have metrics in place to help them manage security risk. But even so, they frequently struggle to define the right metrics the first time around. After one audit cycle, most of our clients end up redefining at least a few of the metrics that were initially established for ISO 27001 certification. This is often because they encounter operational problems like those mentioned above; i.e., the metrics are too technical to communicate to management or too complex to gather and report in the limited time security professionals have in their schedules.

The good news is that our clients appreciate their metrics even more “the second time around.” Usually they’re able to resolve their operational challenges and leverage metrics effectively by simplifying the process.

How do you go about fine-tuning security metrics? Here are some of the resources that I’ve found useful:

If you’re looking for help with creating security metrics, or with getting current metrics to work better for you, Pivot Point Security is here to help with strategy, implementation and operations regarding your Information Security Management System (ISMS), Security Event Management (SEM) and other initiatives.


Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

About the Author:

Mosi K. Platt, CISA - Information Security Auditor, ISO 27001 Certified Lead Implementer

Add a Comment

Share This