Methodologies to measure the effectiveness of cybersecurity efforts exist. Tying them to the real world is the trick.
As solutions to managing cybersecurity threats increase, surprisingly few metrics are available on how well these methods work to secure organizational assets. The National Institute of Standards and Technology (NIST) has pioneered information security performance measurement models that can produce metrics. (Note: NIST’s work in this area is now being updated.)
Aside from government agencies’ requirements to produce information security performance measures, the measurement models NIST recommends can also be used for internal overall IT improvement efforts. Either way, NIST recommends considering four factors while developing and implementing an information security measurement program:
- Quantifiable measures
- Readily available data that support the measures
- Repeatable information security processes
- Utility for tracking performance and directing resources
This article appeared in CSO Online. To read the rest of the article please visit here.