The most important security metric is "risk reduced per unit cost." This metric enables you to collect the costs associated with your security environment related to the amount of risk that you have reduced.
Using quantitative methods like RRUC to explicitly frame security decisions in IT adversarial risk management is still a challenging topic that many security professionals are reluctant to consider. But while the precision and accuracy associated with these numbers will always be in question (only the costs are realized in the financial statements), an organization can make great strides in its security program by using the concept to formalize the decision-making process. More importantly, the organization can gather information and make assumptions about risk and security efficacy that can lead to smarter decisions for a security program in the long term.
How can companies create more clarity and structure in their risk management approach?
- Build a measurement-oriented security culture, as quantitative methods will be commonplace in digital security within the next five years.
- Assess the existing budget allocation and spending process for security solutions. Identify the key elements of the cost-benefit justification.
- Identify a specific project where quantitative methods will help the most in decision making. A pending switch from signature-based antimalware at low cost to higher-cost machine learning antimalware is a prime example.
- Determine key data to be collected that can provide key insights into the decision-making process. An outcome-based approach provides the most direct opportunity to measure risk.
The CIO's Top 10 Strategic Security Metrics
Learn top security metrics to utilize in your organization by tuning into this complimentary web conference from IDC's IT Executive Programs.