Story image

Organisations should measure and report on security metrics, says exec

23 Sep 16

RSM Australia reports that organisations and senior leadership are becoming more involved in the management of cyber security risks because of the threat that’s posed to the business.

To diminish these risks, RSM says companies are making significant investments in all areas of security. These areas range from devices and appliances, right through to software and end-user security awareness training.

Michael Shatter, partner of Security & Privacy Services at RSM Australia, says for some, these activities and their costs become a material investment.

“However, security spending is not and should not be excused from the normal business scrutiny of how funds are spent and the measurement of the return on these investments,” says Shatter.

“To really understand the value and success of the security measures and the respective investments, organisations should measure and report on agreed-upon metrics,” he explains.

Shatter explains that these metrics should communicate clearly to the board and management whether the cyber and information system security controls and processes are effective and are delivering value.

When developing security metrics RSM advises organisations to consider the following characteristics: 

  1. Meaningfulness - There is no point reporting something that no one understands, doesn’t relate to people’s responsibilities and activities, or no one cares about. 
  2. Accuracy - The metrics must provide the identified security performance information in a format that accurately reports key activities.
  3. Genuine - Measurement should be focused on those areas that can be genuinely and reliably reported. It is difficult to have confidence in a metric of breaches stopped if there is no reliable mechanism to capture the number of attempted and successful breaches. 
  4. Timeliness - Metrics should reflect the current circumstances and processes, not past and old information that loses usefulness and relevancy to management and stakeholders. 
  5. Predictive - For metrics to realise their true value to an organisation, they should be able to assist with predicting future risks, outcomes, and behaviours. 
  6. Independent - Metrics are more reliable when they are independently-prepared. 

“Information security management is closely linked to an organisation’s risk management processes,” adds Shatter.

“Therefore, security metrics reporting should be a key part of the risk assessment of mitigation strategies and actions that are either planned or already in place.” 

Why A/NZ organisations need to improve compliance protocols
Only a mere 4% of IT decision makers and data managers surveyed said their organisation faced no data management challenges. 
AWS tops all four global markets, APAC a unique case
The order of proceedings remains relatively the same in three of the four major regions for public cloud services providers, but the APAC market is bolstered by the prominence of China.
How artificial intelligence is transforming finance teams
"Organisations using cognitive ergonomics and system design in new AI projects will achieve long-term success four times more often than others.” 
Pure Storage launches new cloud data services
“Customers should be able to make infrastructure choices based on what’s best for their environment, not constrained by what the technology can do."
Is self-service BI living up to the hype?
the explosion of data available to a business and self-service BI tools is transforming how everyone works - but is self-service living up to expectations?
What the people say - Gartner’s November Customers’ Choices
A roundup of the latest Gartner Peer Insight Customers’ Choices from Backup and Recovery to Business Intelligence and Analytics, and more.
How organisations can use AI to generate business insights
DataRobot’s automated machine learning enhanced Precision Marketing’s predictive modelling capabilities.
WA council first to adopt new Datacom tech for local government
The early adopter Shire of Majinup’s initial priority is to use Datascape to help it engage more closely with its community.