Measuring the Value of IT Security
Measuring the Value of IT Security That puts Williams, who writes about this and other issues in his blog Tech Buddha, at odds with many people in the security industry who believe there are no metrics for security equivalent to those for telecom, where SLAs are de rigeur.

A 99.99 percent uptime guarantee is a solid networking standard no matter what the organization, they say, but security is too specific to each organization to put any standard value on metrics.Williams, chief technology officer at security management vendor BigFix Inc., with previous executive stints at Gartner Research and nCircle Network Security, begs to differ. Also, he believes, with business compliance needs for security becoming paramount, the kind of accountability those require are impossible without an SLA.“In the past, security was looked on as a kind of black magic voodoo that IT practiced in the basement,” he said. “But security today is also about protecting the data and intellectual property of a business, not just systems, and that’s increasingly where security initiatives will be focused.”That increasing pressure to respond to compliance needs is in turn putting emphasis on making security more transparent and visible within an enterprise.At the same time, Williams said, security is starting to be treated differently by organizations as it goes from being something that protects against malware developed by hobbyists – nuisance attacks, in other words – to a medium that serious criminals are exploiting to steal money.All of that has caught the attention of executives at these organizations, and they are looking for ways to improve their security. And the fact is, he said, you can’t improve security if you can’t measure its effectiveness.“They have to do that to see if they need to hire more people, what they need to support team effectiveness and so on,” Williams said. “The CIOs need metrics in order to measure the effectiveness of the technology they purchase.”

Metrics Count

What those metrics can be, and whether they truly reflect the effectiveness of an organization’s security infrastructure, is the question. There is a whole set of disciplines involved in security that is common to all organizations that can be used to measure effectiveness, Williams insists. Such as the efficiency of updating anti-virus DAT files, or how consistent an organization is in installing 80 percent or 90 percent of security patches in any 24-hour period. Organizations can also monitor how well various operational elements comply with corporate security policies.And then they can measure the effectiveness of this security by following how well it does before, during, and after a security incident.With all of that information in hand, Williams says, the organization can then decide on what levels of security it wants and set thresholds. If any of the metrics subsequently dip below those thresholds, “that’s something that’s actionable,” he said.It’s about providing accountability for all of those disparate technology and business groups within an organization that are becoming responsible for security, and about defining a common set of criteria that applies to all of them.“There definitely needs to be an industry-wide awareness that SLAs are effective and that the metrics they use are real,” Williams said. “Because, without SLAs, there is no accountability.”