A group of chief information security officers have formed an independent think tank to develop quantitative metrics for network security.
SAN FRANCISCOA collection of chief information security officers have formed an independent think tank to develop quantitative metrics for network security.
The Security Metrics Consortium, or SecMet, hopes to remove some of the fuzziness that quantitative assessments of a companys security preparedness can offer. Attaching numbers to a networks security will help a chief information security officers counterpart in the finance department assess whether the companys security strategy is working, members of the group said Tuesday.
By this summer, the group hopes to establish a framework for a quantifiable security metrics that SecMet can roll out at a later date, possibly by the end of the year. William Boni, chief information security officer for Motorola Inc., will head SecMet as chairman, with Patrick Heim, vice president of Internet security at McKesson Corp., serving as vice chairman.
The challenge will be to deliver a baseline quantitative security metric for management to assess, Boni said at a press conference here at the RSA Conference. Qualitative assessments of security are much more common, basing their analysis on surveys. "Were going to leverage something were doing anyway," Boni said.
Ray Wagner, a security analyst for Gartner Inc., said Tuesday that companies are expected to spend about 5 percent of their 2004 IT budgets on security.
Currently, SecMet includes representatives from Macromedia Inc., AmSouth Bank, Amgen and Foundstone Inc. However, the group will be vendor-neutral, and Boni said he believes the consortium will serve as more of a think tank than regulatory agency. SecMet is currently recruiting members, and interested parties can sign up at the SecMet web site
Stuart McClure, president and chief technology officer of Foundstone, said the consortium will take a "vulnerability-centric" approach to assessing network security. Examples of what the framework could measure include the duration and penetration of viruses on a network, as well as the number of physical devices that are attached to a network, he said.