Information Technology is all about measuring performance, in business context.
For organizations like the networking team, measuring bandwidth utilization, link performance, and capacity are critical to helping the business understand which strategies are working, and when when network capacity should be increased amongst other things. In the systems management world, it's about performance of a system, deployment consistency, and uptime - metrics that can be quantified from monitoring and logging. This pattern repeats for applications and critical business systems, and just about every other component of information technology ...except, it seems, Information Security.
While Information Security has gotten relatively good at measuring the number of port scans it stops, self-propagating worms and brute-force password hacking attempts, and even the number of application security defects that are identified and mitigated - it's still a relatively dark art to relate these metrics back to the impact to the business. When a specific network link the company relies on to do $100 million dollars of buiness/day is out for a day, the cost to the business is $100 million dollars ...that's relatively easy to quantify, so measures are taken to prevent outages, delays and slow performance so as to not impact performance to the business. But, when it comes to relating the number of cross-site scripting defects in an application, or blocked malicious attachments in email - it seems that CISOs are having a difficult time quantifying how security practices, policies and expenditures are having a a positive impact to the business.
There's no magic to the process of divining KPIs from mountains of seemingly technology-interesting but business-useless metrics, but odds are some of your peers have already done this successfully, so we're working on bringing people together who have successfully figured out how to quantify "IT Performance" as a business value. I will keep writing on the topic, and the "Down the Rabbithole podcast" will have a few upcoming episodes about the topic as well ...and you can always keep track of what's going on in the LinkedIn (SecBiz) group ...but now there's one more resource from HP! If you're interested in learning how your peers and colleagues are finding value in IT Performance, and relating IT Security to it ...check us out by following the links provided here ...and remember that if you don't participate and speak up, others cannot learn from your successes and failures ... and everyone loses.
- HP Discover Performance Community: https://h41183.www4.hp.com/inflexion/?jumpid=re_r1
- Down the Rabbithole podcast: http://podcast.wh1t3rabbit.net
- LinkedIn #SecBiz group: http://www.linkedin.com/groups?gid=4001160&trk=hb_
- Twitter #SecBiz hashtag: https://twitter.com/#!/search/%23SecBiz