Despite all of the log files and other security information that flows through organizations, most security professionals have a big blind spot, said Steve Kahan, CMO of Thycotic, a provider of privileged account management software, and president of a new organization called Security by the Numbers.
Kahan said his discussions with security pros often revealed their inability to answer a key question: How secure is my organization?
Security by the Numbers aims to change that, by providing benchmarks that help companies understand how their security postures stack up against similar companies.
"Companies want to know how they are doing and they don't want to pay a consultant $100,000 to find out," Kahan said. "We want to give them a better way to judge their security metrics by understanding how their results compare to their peers."
It is hard to overstate the importance of metrics, he added. "In order to build a strong, understandable security program, metrics are critical to a CISO's success. You need them to answer basic questions like are we spending too much or not enough on security? Which business units are falling behind?"
Companies can visit the Security by the Numbers website to take an online security measurement index survey, the first of what the group hopes will be many such surveys. It takes roughly 15 minutes to complete, and there is no charge, Kahan said.
Survey respondents will receive an "immediate" letter grade (A-F), he said, followed by an email containing a report that shows how their answers compare with peers in similar company size and industry vertical categories.
Putting Security Priorities in Order
This is especially helpful for small and midmarket businesses that may lack the security resources of larger companies.
"Given their resources, they have to prioritize," Kahan said. "This gives them an effective way to see how their security management practices compare to their peers and a basis for developing their own best practices addressing areas they feel they are weaker on relative to their peer group."
The first survey – which is online now -- is based on the ISO 27001 standard, which encompasses a broad array of security management best practices, including those involving security policy, software development, incident management and asset management, and is designed to help organizations successfully pass a formal security audit.
Making an Executive Connection
These kinds of controls-based metrics are easier for executive managers and boards of directors to understand, said Mark Carney, a member of the Security by the Numbers' advisory council and CISO of FireMon, a provider of firewall management software.
Many security professionals are highly focused on operational metrics such as how many viruses were detected and prevented, Carney said, adding, "Operational security metrics are great, but when measuring security metrics for a certain audience, you have to know your audience."
Recognizing that CISOs and other security professionals routinely brief boards of directors on security risks, Security by the Numbers decided to make its first benchmark one that would be meaningful for that audience, Carney said. "If you can take security management metrics like the ISO, and be able to show your gaps and areas for improvement – and the business risks tied to those gaps – to your board and executive management, it is much closer to what they are interested in and can relate to."
Security by the Numbers plans to roll out its second benchmark, which will focus on security policy awareness among end users, later this year. Over time the group plans to produce detailed reports based on its research and possibly offer online training, Kahan said.
It plans to complement -- not compete with -- the SANS Institute and other existing organizations, he added. "We want to stay true to our niche: showing how you compare with peer groups on useful benchmarks, and providing good comparative metrics."
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.