One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 3062983 |
| Date de publication | 2021-07-14 10:00:00 (vue: 2021-07-14 11:05:32) |
| Titre | Meaningful security metrics |
| Texte | Security metrics are vital for you as a security leader to track the progress of your security program and have effective risk-focused conversations with business and operations stakeholders. Security metrics pave the way for security initiatives, facilitate resource, help communicate resource allocation and help communicate results with relevant stakeholders throughout the organization. Today security functions are expected to plan and track contributions to the business to enable strategic alignment to win and retain customers. Security metrics should help you do your job better and demonstrate to business leadership that you’re doing a good job of managing security. You can hone your existing security metrics so that they are more meaningful and demonstrate actual value to business stakeholders. Despite growing interest in meaningful security metrics, organizations globally continue to find it a challenging task. CISO’s can find it challenging to define security metrics, as there are no off-the-shelf standard metrics that would suit every organization. There are no established standard templates on what should be measured. Principles for enhancing existing security metrics You may reach out to Cybersecurity consulting organizations for help implementing industry standards and vertical-specific requirements, along with their experience in establishing and growing information security risk management combined with security metric reporting. Your consultant can review existing information security metrics so that existing / defined information security metrics align with the current technical landscape and threat environment considering the following principles. Review categorization of metrics for comprehensiveness: Examine the current functional categorization for comprehensiveness and framework alignment considering security and compliance requirements (e.g. PCI, HIPAA, FRB), in the light of current applicable regulatory, legislative and industry best practices. Consider metrics concerning the chosen framework for security management. Review individual metrics for holistic risk representation: Review existing metrics for suitable attributes such as effectiveness, efficiency, coverage, compliance, timing, cost, and process maturity. This step would help the stakeholder understand the specific risk exposure and quantifiably measure each security metric. For meaningful insight, each metric should have an appropriate unit of measurement. Measurement can be qualitative, quantitative, or binary depending upon the kind of metric. Review security metrics lifecycle: Review existing metrics for their continued relevance at least annually. In areas where metrics have been successful in driving maturity, recommendations should be made to modify metrics or enhance the thresholds. Determine whether metrics need to be modified based upon change in overall program maturity, changes in underlying technologies, threats, risks and/or regulations. Review security metrics for context, reliability, and credibility: Use metrics to provide the necessary context, reliability, and credibility by looking into the availability of supporting data and explanatory notes where needed. You should also clearly articulate the definition of the metric– your audience needs to understand what is being measured, its business impact, and the meaning of the metric (quantitative/qualitative) - and not just present data in isolation, leaving the audience to interpret the measure or what is the risk / exposure involved. Review action orientation of metrics: Don’t just rely on numbers. Interpret insights to help provide actionable recommendations. If the required actions are not made explicit, reporting will not serve its purpose. Be sure that metrics provide adequate information to |
| Envoyé | Oui |
| Condensat | action actionable actions activities actual adequate advantage align alignment allocation and allow almost along also amount and/or annually appetite applicable appropriate are areas around articulate assurance at&t attributes audience availability balanced based been before being below best better binary board boosting business call can care careful case categorization cater ceo challenging change changes charts chosen ciso ciso’s clarity clear clearly combined communicate communication comparisons complex complexity compliance comprehension comprehensiveness comprehensiveness: concerning concise concisely confidence consider considered considering consistency consistently consultant consultants consulting content context continue continued contributions conversations convey cost could coverage covering creating credibility credibility: cro current customers cybersecurity dashboards data decision decisions define defined definition demonstrate depending desired despite detail detailed determine determined different directors discussions doing domain domains don’t driven driving each easily effective effectively effectiveness efficiency efficiently efforts elaborate enable engage engaging enhance enhancing environment equivalent established establishing etc every exactness examine example executives existing expectations expected experience expert expertise explanatory explicit exposure facilitate figure: files find focus focused following following: forecasts format format: formats fortifies framework frb from function functional functions funding globally good graphs green growing have help high hipaa holistic hone impact implementing important include indicators individual industry influence information informs initiatives insight insights intended interest interpret involved isolation issues its job just keep key kind laid landscape large leader leadership least leaving legislative level level: levels lifecycle: light lights limits log looking made make makes making management managing match matching matters maturity may meaning meaningful measure measured measurement message method metric metric– metrics metrics: mind modified modify more motivation necessary need needed needs non not notes numbers off one only operational operations optimize organization organizations organize orientation out outcomes overall pave pci performance perspective plan points practices present presentation presentation presentations presented presenting principles process program progress project provide provides providing purpose qualitative quantifiably quantitative quantitative/qualitative quickly rapid raw reach real recommendations red refine reflecting regulations regulatory relevance relevant reliability rely remediation reporting representation representation: required requirement requirements resource resulting results retain review risk risks role satisfies scope scorecards scorecards security select selected selection senior serve shall shelf short should simplicity simplicity: specific stakeholder stakeholders standard standards status step strategic strategy styles successes successful such suit suitable supported supporting sure tables tactical tactics take taken target task team technical techniques technologies technology templates term text than that: these threat threats thresholds throughout time timing today track traffic trends underlying understand understandable understanding unit updated upon use used utilize value variety versus vertical very view vis vital volume way what when where whether which will win would yellow you’re your |
| Tags | Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.