Many people in various security disciplines are looking to metrics as a way to demonstrate the efficacy of their efforts and show continuous process improvement.
If I told you that testing discovered nine critical vulnerabilities last month, what knowledge have I imparted? Does it clarify improvement from last month/last year? Does it imply that you are testing more broadly across your portfolio to eliminate detection gaps? Does it mean you simply changed the definition for “critical”?
A metric without larger context is just a number (and if it’s just a color, then it probably hides more than it tells). True metrics are valuable because they provide specific decision-support information to the person who needs it. The key is to link each metric directly to a specific question (literally, an interrogative sentence) about whether the firm is achieving a business goal. This creates a useful and objective indicator of whether security initiatives are moving the firm in the right direction by the expected amount. Because well-constructed goals include business benefits, the associated metrics now convey tangible contribution to the organization.
Linking security metrics to business goals expresses security initiatives in the language of business and clarifies how the security efforts directly contribute to organizational health. In addition to compliance, risk management, and other goals, this linkage is critical to the budgeting process, as management is far more comfortable allocating funds to achieving tangible results than amorphous targets such as making the organization “more secure.” The metrics demonstrate continuous improvement over time, establishing trust with management and thereby further reducing friction in the budgeting process.
Sammy Migues is principal scientist within the Synopsys Software Integrity Group where he studies evolving application security market needs, creates solutions for the hard problems, and leads organizations through transformational improvements. Over the past 15 years, Sammy focused on computer-based and instructor-led training, smart grid, supply chain security, metrics, software security initiative maturity, and management consulting. Sammy is a co-creator and the maintainer of the Building Security In Maturity Model (BSIMM), the only study of its kind to capture the actual software security practices in over 200 firms around the globe. Sammy also co-authored the Synopsys CISO Report, a review of approaches to the CISO role, and the BSIMMsc, an application of the BSIMM for supply chain security. His thought leadership and expertise has appeared in Dark Reading, Infosecurity Magazine, Forbes, Supply Chain Digital, and The Daily Swig, among many media publications. He has spoken at public conferences including Gartner, FS-ISAC, and RSA. Sammy is also a frequent speaker at private conferences, such as the members-only BSIMM conference, and internal security conferences.