Story image

Organisations should measure and report on security metrics, says exec

23 Sep 2016

RSM Australia reports that organisations and senior leadership are becoming more involved in the management of cyber security risks because of the threat that’s posed to the business.

To diminish these risks, RSM says companies are making significant investments in all areas of security. These areas range from devices and appliances, right through to software and end-user security awareness training.

Michael Shatter, partner of Security & Privacy Services at RSM Australia, says for some, these activities and their costs become a material investment.

“However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments,” says Shatter.

“To really understand the value and success of the security measures and the respective investments, organisations should measure and report on agreed-upon metrics,” he explains.

Shatter explains that these metrics should communicate clearly to the board and management whether the cyber and information system security controls and processes are effective and are delivering value.

When developing security metrics RSM advises organisations to consider the following characteristics: 

  1. Meaningfulness - There is no point reporting something that no one understands, doesn’t relate to people’s responsibilities and activities, or no one cares about. 
  2. Accuracy - The metrics must provide the identified security performance information in a format that accurately reports key activities.
  3. Genuine - Measurement should be focused on those areas that can be genuinely and reliably reported. It is difficult to have confidence in a metric of breaches stopped if there is no reliable mechanism to capture the number of attempted and successful breaches. 
  4. Timeliness - Metrics should reflect the current circumstances and processes, not past and old information that loses usefulness and relevancy to management and stakeholders. 
  5. Predictive - For metrics to realise their true value to an organisation, they should be able to assist with predicting future risks, outcomes, and behaviours. 
  6. Independent - Metrics are more reliable when they are independently-prepared. 

“Information security management is closely linked to an organisation’s risk management processes,” adds Shatter.

“Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place.” 

How Red Hat aims to accelerate business value with container technologies
Red Hat announced that leading global companies are creating, extending and deploying integration services across hybrid and multicloud environments using agile integration architectures based on Red Hat technologies.
IT employers having to up salaries and bonuses to attract talent
As the modern economy relies increasingly on data, it’s certainly a good time to be working in IT.
Red Hat expands integration product capabilities
Adds end-to-end API lifecycle support and new capabilities for agile integration across hybrid architectures.
Electric car infrastructure needs to be a high priority
“Australians should be able to drive all over this massive nation with complete confidence in a zero-emission vehicle.”
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
BMC adds IBM Cloud, Watson to Helix solution
BMC Helix with IBM Watson delivers cognitive insights across structured and unstructured federated knowledgebases.
Hyundai works with IBM to create a new blockchain-based platform
The network for commercial financing will supposedly provide participants with a single view of all the transactions happening in the network.
Why businesses should invest in energy automation
In industrial applications digital transformation allows businesses to do more with less.