Security: How Do You Rate?

By Matthew Hicks  |  Posted 2001-12-17 Print this article Print

Metrics programs provide answers.

The National Aeronautics and Space Administration can send a man to the moon. Youd think the agency could secure the core IT systems on which it depends to stay aloft.

Not necessarily so, as top NASA IT officials discovered to their dismay four years ago. Separate security audits by both NASAs own Inspector General and the General Accounting Office found worrisome security gaps such as out-of-date and incomplete security plans for major systems.

So NASA officials set out to fix their security problems in much the same way they manage huge space projects: by treating security as a measurable activity whose progress can be tracked and improved through the rigorous collection and analysis of metrics. NASAs detailed security auditing and metrics program has helped IT managers there build a case for dramatically increasing spending on security. And, although theres still room for improvement, the program has demonstrably upgraded the agencys overall security.

"Theres a correlation between a good metrics programs and a good security program," said David Nelson, deputy CIO in charge of security at NASA, in Washington. "NASA management has signed up to metrics. They look at the data at the center level, and center directors put on the afterburners if the metrics are not being met."

A recent survey of CEOs and other top corporate executives by New York-based KPMG LLP found that, while many (41 percent) worry that their organizations are not equipped to handle a serious security threat, most (59 percent) see security as a technology issue rather than a business issue. Thats a problem for IT managers who, without direct support from top management, face an uphill battle gathering the funding and clout it takes to roll out effective enterprise security, experts say.

But, as savvy IT managers at NASA and a few private-sector companies, such as DuPont, have found out, frequent, formal, metrics-driven audits can be a good way to overcome that problem by defining security in terms that business executives can understand: quantifiable results.

"It used to be that the CEO would say to the CIO, Are we secure? and hed say, Yes, and that would be the end of the conversation," said Mark Doll, national director for security and technology solutions at Ernst & Young LLP, in San Jose, Calif. "Now the CEO wants to know why youre so sure that were safe and to what standards and what level of security."

Developing security metrics, however, isnt easy. While government agencies such as NASA can look to federal laws and regulations that outline security requirements for guidance, there are no standards fully defining what security metrics nongovernment enterprises should collect or how they should collect them. That means that although they can call on consultants—many of whom have their own proprietary metrics-driven security audit processes—enterprises for the most part will need to decide for themselves what security metrics to collect and report. The key, experts say, is to start by clearly defining security goals and to involve not just IT but line-of-business managers and top executives as well.

Matthew Hicks As an online reporter for, Matt Hicks covers the fast-changing developments in Internet technologies. His coverage includes the growing field of Web conferencing software and services. With eight years as a business and technology journalist, Matt has gained insight into the market strategies of IT vendors as well as the needs of enterprise IT managers. He joined Ziff Davis in 1999 as a staff writer for the former Strategies section of eWEEK, where he wrote in-depth features about corporate strategies for e-business and enterprise software. In 2002, he moved to the News department at the magazine as a senior writer specializing in coverage of database software and enterprise networking. Later that year Matt started a yearlong fellowship in Washington, DC, after being awarded an American Political Science Association Congressional Fellowship for Journalist. As a fellow, he spent nine months working on policy issues, including technology policy, in for a Member of the U.S. House of Representatives. He rejoined Ziff Davis in August 2003 as a reporter dedicated to online coverage for Along with Web conferencing, he follows search engines, Web browsers, speech technology and the Internet domain-naming system.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel