byaarrott08-17-200906:57 AM - edited 08-17-200907:31 AM
Do security metrics help secure IT security
budgets? Which ones? IT Security managers
at the Metricon conference in Montreal last
week expressed their view.
What works for you?
Join the discussion.
Metrics that Motivate
At the MetriCon security metrics conference in Montreal last week, the last panel featured three security managers. Most of the other talks had been from academics, consultants, and industry security metrics practitioners. But here on this last panel were three managers "from the trenches" - each the highest ranking security manager for their organization. The organizations included a near billion-dollar revenue retailer and a near-billion dollar revenue e-commerce business.
One of the questions asked of the panel was this: Which security metrics are most useful to you for obtaining next year's security budget?
There was remarkable consensus among the three security managers: The record of security incidents. According to the panel, executive management is looking for the security manager to be familiar with the organization's security incidents. Executive management wants metrics that demonstrate not only awareness of security incidents but also that the organization's IT security is successfully coping with these incidents. The key seemed to be the importance of metrics specific to the organization (instead of metrics of the global threat landscape).
Successful local coping with security apparently trumps the global fear factor as a motivator for IT security spending.
What metrics are most useful to you in defending your organization's IT security budget?
What currently available metrics are pretty much irrelevant as motivators for security spending?
Are there unavailable security metrics you wish you had come budget time?
Anthony Arrott is product manager for security analytics at Trend Micro. Among other duties, he coordinates Trend Micro’s participation in external benchmark testing programs that measure the protection commercial security software products provide to their customers.
Arrott was Director of Threat Research at anti-spyware vendor InterMute, prior to its acquisition by Trend Micro in 2005. In 2007 Dr. Arrott led the project team for Trend Micro HijackThis v2.0 – enhancing the popular malware diagnostic tool originally developed by Merijn Bellekom. Dr. Arrott earned his degrees at McGill University and M.I.T.
What are other Premium Support Customers talking about? Learn more