About Us | Contact Us
View Cart

Measuring the Effectiveness of Your IT Security Program

By Vigilize | Thursday, March 26, 2015 - Leave a Comment

An article review.


Simple metrics to measure your return on infosec investment


ServIcons_ITAudit_01

As with any investment, you want your infosec solutions to work and work well! You want to make sure that you’re getting a good return on your investment – a lot of bang for your buck. The question becomes: how do you actually measure your infosec ROI?

The folks over at DarkReading.com, a sister publication of Information Week, conducted a survey recently that asked that exact question of “security practitioners and pundits.” They wanted to see what metrics these professionals use to measure the effectiveness of their IT security solutions. This is the top 10 list that DarkReading.com put together based on their results.

  • Average Time To Detect And Respond – This is simply how long it takes from the time an incident occurs to the time that your team is aware and responds to the incident. It’s worth noting that if you’re using infotex to monitor your network; our average response time (excluding automated blocks which are measured in microseconds) is less than 15 minutes.
  • False Positive Reporting – Tracking the rate at which false positives are reported can tell you how well your first level of analysis is working.
  • Mean Time To Fix Software Vulnerabilities – This metric is really crucial for companies that build their own custom software. In many cases, this time is not even tracked, so potentially crippling vulnerabilities remain in production for lengthy periods of time.
  • Patch Latency – The length of time it takes for a patch to be installed from the time it was released.
  • Incident Response Volume – By keeping track of the number of incident cases that are opened versus those that are closed or pending will measure how well issues are being noticed and fixed.
  • Fully Revealed Incidents Rate – This metric takes into account how well your response team understands the reason for the security alert, along with its cause, effects, and other implications. If this metric is lower in comparison to overall volume of security cases that are opened, it could indicate a lack of training.
  • Analytic Production Time – Measuring the time from data collection to data analysis can help you determine if your security program is experiencing information overload.
  • Percent of Projects Completed On Time And On Budget – A simple calculation of both time and money can show accountability by realistically measuring if your recent security improvement projects are meeting their marks.
  • Percentage Of Security Incidents Detected By An Automated Control – This metric can really pay off when trying to justify new equipment, because it proves that your automated controls are working and saving you money.
  • Employee Behavior Metrics – Plainly, test your staff. Try some social engineering or phishing campaigns to test and measure how well your awareness training program is working. Then, help your staff learn from their mistakes.

Metrics are very important in governance, and this article proposes several creative measurements we don’t often see used in banks. Consider adding a few of these metrics into your security program assessments.


Click Here To Read the Full Article


The above is what we call an “Article Review.” It is part of our attempt to help our readers find excellent reading materials to back up important technology risk management concepts. We try not to include articles that are merely news or additional news about mainstream issues. Instead, we try to highlight articles that our “typical clients” should be sure to read, or that are about concepts “outside the mainstream media.” infotex does not intend to endorse views represented by the writers of the articles we review, nor do we try to keep our Clients aware of EVERYTHING. For example, if a particular story concept is being reported upon in many different media sources, infotex usually chooses to ignore the story concept altogether, unless we can find a “unique take” on the story concept.


Original article by Ericka Chickowski of DarkReading.com.


same_strip_012513


Latest News
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]