Need for consensus in IT Security

December 11th, 2009 by May Advincula Leave a reply »

 ”With an incident impact reduction focus and consensus metrics as our common language, we can create the classic learning loop first at the enterprise level, then at the international and national levels, that will lead us to true ‘best practices’ and will reduce the impact of incidents.” -Clint Kreitner, The Center for Internet Security

In his presentation at the October IT Security Summit, Clint Kreitner, Senior Advisor at The Center for Internet Security (CIS), discussed the need for the information security community to come to a consensus on what constitutes as success in IT security and how to measure it. In addition, Kreitner addressed the need for a feedback learning loop to enable measurable and continued improvement in protecting information.

Kreitner states that although there is a lot of money being spent in information security, there is a lack of ability to answer questions such as:

-Are we more secure than we were last year?

-Are we spending the right amount on security?

-Which of our security investments are yielding the most cost-effective results?

-How do we compare to our peers?

Kreitner states, “Currently, much of what we are doing in security involves risk assessment scenarios that hypothesize what various outcomes might be.”

Crucial elements that are missing in the area of information security include a widely accepted definition of success, clearly established definition of goals, and a set of consensus metrics. The CIS Security Metrics document contains a list of 20 metrics in specific business functions such as incident management, vulnerability management, patch management, application security management, configuration management, and financial management. It was compiled by over 100 expert participants from various sizes and types of public and private sector enterprises and representing various professional backgrounds.

To read the report “IT Security- When will we know if what we’re doing is working?” in its entirety please click here (Members must be logged in to download)

Follow the discussion on Twitter @ITInfoForum

Share and Enjoy:
  • Digg
  • del.icio.us
  • TwitThis
  • LinkedIn
  • Google
  • E-mail this story to a friend!
  • Facebook
  • StumbleUpon
  • blogmarks
  • Fark
  • Live
  • Ma.gnolia
  • Print this article!
  • Reddit
  • Technorati

Posted in IT Security

Tags:

You can follow any responses to this entry through the RSS 2.0 Feed. You can leave a response , or trackback from your own site.

Advertisement

Leave a Reply