Why measuring security is hard

By continually measuring the number of employees with admin or elevated privileges to cloud applications over time, teams will better understand if and when they need to revisit access-level policies. It is also essential to measure the number of times cloud security policies have been violated and the number of misconfigured assets within the environment. Comparing these metrics to a set of best practices, such as the CIS Foundations Benchmarks , will help to determine the effectiveness of their overall cloud security initiatives.

Executive-level metrics focus more on the business impact than the security program. Another metric area is risk quantification. If companies can quantify cyber risk beyond just incident costs, they can understand where the security program is in a digestible way for executive audiences. There are endless variables and possibilities when it comes to measuring cybersecurity programs.

Successful metrics programs incorporate measurements that best match the business and program outcomes they are looking to achieve and take steps to ensure their confidence in the data that informs them. This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block.

By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more. This Website Uses Cookies By closing this message or continuing to use our site, you agree to our cookie policy.

Learn More This website requires certain cookies to work and uses other cookies to help you have the best experience. Home » Overcoming security metrics challenges to measure what matters. Noah Simon is the director of product marketing at Axonius, a cybersecurity asset management company.

He is passionate about cybersecurity and always seeking to understand how new technologies can help companies and individuals protect themselves from the continually evolving risk landscape. Restricted Content You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days. Please click here to continue without javascript.. Get our new eMagazine delivered to your inbox every month. Instead of asking, "Am I secure? Tying the development of metrics to its business objectives helps an organization identify the most valuable security measures to measure and report.

If what you are measuring doesn't drive action, then perhaps it should not be measured at all. Measurement should be used to manage risk. And to manage well, you have to make technically competent, well-informed decisions. Decision makers value clear, concise data to help them make decisions. Security metrics can inform decisions made strategically, tactically, and operationally within the organization.

When developing a metrics program, consider the audience. Senior management cares about security metrics for governance and oversight and alignment with the strategic direction of the organization.

Middle management cares about security measures to oversee security management and to make decisions around improvement activities. Operators care about security metrics to ensure controls are configured and managed appropriately. Metrics must provide actionable information for decision makers, but the metric must be balanced with the cost of measuring. Measurement can be very expensive. Consider whether the metric will enable better understanding of progress toward achieving goals and objectives.

If not, it's probably not worth the investment in measuring. Get our RSS feed. Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published. Software Engineering Institute.

SEI Blog.