Organisations should measure and report on security metrics, says exec
RSM Australia reports that organisations and senior leadership are becoming more involved in the management of cyber security risks because of the threat that's posed to the business.
To diminish these risks, RSM says companies are making significant investments in all areas of security. These areas range from devices and appliances, right through to software and end-user security awareness training.
Michael Shatter, partner of Security - Privacy Services at RSM Australia, says for some, these activities and their costs become a material investment.
"However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments," says Shatter. "To really understand the value and success of the security measures and the respective investments, organisations should measure and report on agreed-upon metrics," he explains.
Shatter explains that these metrics should communicate clearly to the board and management whether the cyber and information system security controls and processes are effective and are delivering value.
When developing security metrics RSM advises organisations to consider the following characteristics:
- Meaningfulness - There is no point reporting something that no one understands, doesn't relate to people's responsibilities and activities, or no one cares about.
- Accuracy - The metrics must provide the identified security performance information in a format that accurately reports key activities.
- Genuine - Measurement should be focused on those areas that can be genuinely and reliably reported. It is difficult to have confidence in a metric of breaches stopped if there is no reliable mechanism to capture the number of attempted and successful breaches.
- Timeliness - Metrics should reflect the current circumstances and processes, not past and old information that loses usefulness and relevancy to management and stakeholders.
- Predictive - For metrics to realise their true value to an organisation, they should be able to assist with predicting future risks, outcomes, and behaviours.
- Independent - Metrics are more reliable when they are independently-prepared.
"Information security management is closely linked to an organisation's risk management processes," adds Shatter.
"Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place."