Organisations overcomplicate the way they measure security and would benefit from a much simpler approach, according to analyst group Forrester.
Speaking ahead of the Forrester Security Forum held in London today and tomorrow, Andrew Jacquith, senior analyst at the firm, acknowledged it was difficult to measure the effectiveness of security. “It tends to be very emotional, we make decisions based on perceptions of risk and headlines in newspapers. This isn’t a good way to judge.”
To measure the strength of your security easily and accurately, organisations should define their security measures into clear areas, and develop simple and consistent metrics, he told CIO UK sister title Computerworld UK.
Jacquith advised businesses to produce a simple number for each measurement that puts the quality of security into context, for example, "what percentage of laptops are covered by anti-malware programmes, how many network intrusions have taken place divided by the number of users on the network, or what percentage of intrusions were detected by systems rather than found later accidentally".
Creating simple numbers that demonstrated the strength of security was far more effective than complex metrics, which can be difficult to decode and mean little in a business context, he said.
“Executives don’t have a lot of time, and they want simple answers they can rely on. The security industry has not been good at a developing a non-technical explanation.”
The act of measuring progress, and the discipline required, improves security and demonstrates to managers its value, he said. “With budgets the way they are, we know how important that is.”
For all the latest security ideas, news and thought leadership visit the CIO UK Security Tech Toolkit