But until recently, information security lacked such metrics. They do now. The Center for Internet Security this month updated its year-old consensus metrics for information security. The update features eight new metrics to address industry needs such as incident impact and configuration compliance. The revised metrics also include taxonomies to help standardize metrics reporting, along with relationship diagrams for metrics data sets to facilitate easier integration into existing or custom automation solutions.
"The purpose and needs for these is to establish those same business tools for info security professionals to enable them to make better business decisions," Piliero says.
In the interview, conducted by Information Security Media Group's Eric Chabrow, Piliero explains:
- What are the seven business functions the metrics covered;
- How the metrics can be used; and
- How a community of IT security experts achieved a consensus on what the metrics should include.
Before joining the Center for Internet Security in 2008, Piliero served as an executive for a Fortune 100 financial services organization, where he developed and managed enterprise-wide governance, network, systems and application security programs. He has designed and deployed international, multi-site network, security, management and infrastructure for some of the world's largest organizations.
A certified information systems security professional and information security manager, Piliero has contributed standards to the National Institute of Standards and Technology and the National Security Agency, and is an active member of the Information Systems Audit and Control Association and the Information Systems Security Association.