Understanding New IT Security Metrics

Center for Internet Security's Steven Piliero Discusses Updated Metrics

By , November 19, 2010.
Understanding New IT Security Metrics

"The purpose and needs for these is to establish those same business tools for information security professionals to enable them to make better business decisions," Center for Internet Security Chief Security Officer Steven Piliero says.Executives in the financial sector or healthcare, for instance, use metrics to make quantifiable, effective business decisions: determining gross profit at a bank or post-surgical infection rates at a hospital. "Anywhere you go, it would be very typical to hear those types of metrics, they're so common, that regardless if a company is privately held, publicly traded, not for profit, for profit, they all use the same metrics," Steven Piliero, chief security officer at the Center for Internet Security, says in an interview with Information Security Media Group.

But until recently, information security lacked such metrics. They do now. The Center for Internet Security this month updated its year-old consensus metrics for information security. The update features eight new metrics to address industry needs such as incident impact and configuration compliance. The revised metrics also include taxonomies to help standardize metrics reporting, along with relationship diagrams for metrics data sets to facilitate easier integration into existing or custom automation solutions.

"The purpose and needs for these is to establish those same business tools for info security professionals to enable them to make better business decisions," Piliero says.

In the interview, conducted by Information Security Media Group's Eric Chabrow, Piliero explains:

  • What are the seven business functions the metrics covered;
  • How the metrics can be used; and
  • How a community of IT security experts achieved a consensus on what the metrics should include.

Before joining the Center for Internet Security in 2008, Piliero served as an executive for a Fortune 100 financial services organization, where he developed and managed enterprise-wide governance, network, systems and application security programs. He has designed and deployed international, multi-site network, security, management and infrastructure for some of the world's largest organizations.

A certified information systems security professional and information security manager, Piliero has contributed standards to the National Institute of Standards and Technology and the National Security Agency, and is an active member of the Information Systems Audit and Control Association and the Information Systems Security Association.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE DHS to Scan Agencies' IT for Vulnerabilities

Prompted by Heartbleed and other vulnerabilities, the White House is giving the Department of...

Latest Tweets and Mentions

ARTICLE DHS to Scan Agencies' IT for Vulnerabilities

Prompted by Heartbleed and other vulnerabilities, the White House is giving the Department of...

The ISMG Network