The nonprofit Center for Internet Security plans to release a set of IT security metrics soon based on input from more than 80 security experts from government, business and academia.
The CIS metrics are meant to help organizations determine their security posture using a consensus-based measuring stick. In general, the initial set of outcome and process metrics include: mean time between security incidents, percent of systems patched to policy and percent of business applications that had a risk assessment.
Other metrics will deal with the percent of systems with anti-virus, the percent of systems configured to approved standards, the mean time it takes to recover from security incidents and the percent of application code that has had either a security assessment, threat model analysis or code review prior to production deployment.
"Enterprise leaders and information security professionals struggle to make cost-effective security investment decisions largely because they lack specific, consistent, widely accepted outcome metrics for decision support," said Bert Miuccio, CEO of CIS, in a statement. "Legislators and executives want to understand the value their expenditures produce, but objectively defining and measuring success is an increasing problem for security professionals. I think these challenges can be most effectively addressed through collaboration and consensus."
In addition to the metrics, CIS also plans to unveil a software-based service later this year to enable anonymous cross-organization comparison of security status, communication of security performance over time and mechanisms for correlating security practices with outcomes.
"The new CIS information security metrics service will provide data that is essential in formulating information security strategy and evaluating its implementation," Miuccio said. "The data service will provide a rational basis for making cost-effective security investments to better ensure the availability, confidentiality and integrity of information for enterprises that depend on the cyber infrastructure."