There is a time-tested business axiom that gets to the heart of this question: You cannot manage what you do not measure.
Unfortunately, many security teams and their leadership find themselves caught in a cycle of analysis paralysis. The value of the metrics gathered and the impact they bring in communicating value are often not business-focused enough to warrant attention. This begs the question of what is measured, why and for whom.
IT is used to providing business-facing metrics that address deliverable elements such as responsiveness, uptime and service levels. These are generally easy to collect and measure, and communicate how the network and help desk contribute to keeping the business operating efficiently and effectively. These aren't terribly strategic in nature, but they can be quantitatively and directly tied back to the bottom line. The availability of services often becomes the only thing measured.
Security has a more difficult set of parameters and deliverables because, besides availability, we are charged with ensuring the confidentiality and integrity (amongst other things) of the corporation's infrastructure and information. The impact on availability can be quantified quite easily. The impact on confidentiality or integrity is much more difficult for most companies to compute.
When security teams are asked to provide security metrics that communicate "value" similar to those of the help desk or network teams, oftentimes we are faced with a difficult task. This involves attempting to quantify how defensive measures designed to stave off perceived and potential threats impact the business' bottom line beyond simply large capital and operational expenditures.
In the view of some, security is regarded as nothing more than an overhead grudge purchase akin to a seatbelt or an airbag in a car, an implied cost of ownership of a protective measure that will hopefully be there one day when it's needed. Others try to climb the slippery slope of defining the ROI of their security investments.
In many cases the culture of the organization is such that management will perhaps be able to understand how security could lead to a cost avoidance scenario but not a contribution model based upon cost reduction.
Service providers can help their customers by introducing and uniting risk assessments with business impact analysis against the most important assets in an organization. This will force a security team to begin to establish how the investments made in the portfolio to protect the things that matter most can be measured as a function of managing risk, which is really what matters.
Working with your customers to quantify risk will move the efforts, discussion and investments upstream as a business function rather than a grudge purchase. This can ultimately translate into budget availability for much more strategic and higher-limit engagements.
This was first published in April 2008