Security: How Do You Rate?

Metrics programs provide answers.

The National Aeronautics and Space Administration can send a man to the moon. Youd think the agency could secure the core IT systems on which it depends to stay aloft.

Not necessarily so, as top NASA IT officials discovered to their dismay four years ago. Separate security audits by both NASAs own Inspector General and the General Accounting Office found worrisome security gaps such as out-of-date and incomplete security plans for major systems.

So NASA officials set out to fix their security problems in much the same way they manage huge space projects: by treating security as a measurable activity whose progress can be tracked and improved through the rigorous collection and analysis of metrics. NASAs detailed security auditing and metrics program has helped IT managers there build a case for dramatically increasing spending on security. And, although theres still room for improvement, the program has demonstrably upgraded the agencys overall security.

"Theres a correlation between a good metrics programs and a good security program," said David Nelson, deputy CIO in charge of security at NASA, in Washington. "NASA management has signed up to metrics. They look at the data at the center level, and center directors put on the afterburners if the metrics are not being met."

A recent survey of CEOs and other top corporate executives by New York-based KPMG LLP found that, while many (41 percent) worry that their organizations are not equipped to handle a serious security threat, most (59 percent) see security as a technology issue rather than a business issue. Thats a problem for IT managers who, without direct support from top management, face an uphill battle gathering the funding and clout it takes to roll out effective enterprise security, experts say.

But, as savvy IT managers at NASA and a few private-sector companies, such as DuPont, have found out, frequent, formal, metrics-driven audits can be a good way to overcome that problem by defining security in terms that business executives can understand: quantifiable results.

"It used to be that the CEO would say to the CIO, Are we secure? and hed say, Yes, and that would be the end of the conversation," said Mark Doll, national director for security and technology solutions at Ernst & Young LLP, in San Jose, Calif. "Now the CEO wants to know why youre so sure that were safe and to what standards and what level of security."

Developing security metrics, however, isnt easy. While government agencies such as NASA can look to federal laws and regulations that outline security requirements for guidance, there are no standards fully defining what security metrics nongovernment enterprises should collect or how they should collect them. That means that although they can call on consultants—many of whom have their own proprietary metrics-driven security audit processes—enterprises for the most part will need to decide for themselves what security metrics to collect and report. The key, experts say, is to start by clearly defining security goals and to involve not just IT but line-of-business managers and top executives as well.