Information Security professional, Bryan Bechard, reviews Security Metics: A Beginner’s Guide.
The best security report you can give is:
“All is quiet. Nothing to report.”
This would hopefully be understood as all protections are in place and working, all systems are secure, no issues to report. In the real world however there is always some system that needs to be improved or some security incident that needs to be addressed. Even if the no report utopia existed you would still need to justify the expense of the security organization. Otherwise why is there an infosec department? Return on investment, ROI, is a major issue and one of the hardest things to provide when working in information security. In the physical world information security is akin to the guard at the front of a bank. If you did not have a guard would that necessarily lead to more bank robberies? The only way you will be able to prove one way or another is with metrics. While there are many books written on metrics this is the first I have seen to specifically address security metrics.
My favorite quote from the Security Metics: A Beginner’s Guide is also probably the shortest one ever; “Who cares?” Too many times metrics are created strictly for the sake of having metrics. After reading this book you will not only be able to produce metrics but the right metrics. If a metric is produced and nobody pays attention to it, does it make a sound? If the answer is no for your metrics then you are either producing the wrong ones, presenting them in a bad way, or not getting buy-in from management and decision makers.
The book has a “for dummies” flavor but does some deep dives into statistical analysis, project management and automation that does require a little math and technical knowledge. But neither are so daunting that anyone should avoid the book. It also provides good case studies with practical examples of how to create metrics reports, get them read and acknowledged, finally acted on.
My only complaint about the book is that it advertises downloadable checklist and templates on the front of the book but then does not have a central repository to go and grab them from. The reader has to go to the sites referenced in the book and pull them together. The author’s templates are not downloadable so you have to re-create them.
Overall I recommend the book for anyone in information security who has to produce metrics or justify spend on information security. It will walk you through all the steps needed to create a metrics program. With the author’s real world experience and well written game plan you will have no issues justifying your infosec spend and show the impact it is making.
You can buy Security Metrics: A Beginner’s Guide from IT Governance. Click below for your preferred currency: