Governance & Risk Management , Risk Assessments

Understanding New IT Security Metrics

Center for Internet Security's Steven Piliero Discusses Updated Metrics
"The purpose and needs for these is to establish those same business tools for information security professionals to enable them to make better business decisions," Center for Internet Security Chief Security Officer Steven Piliero says.Executives in the financial sector or healthcare, for instance, use metrics to make quantifiable, effective business decisions: determining gross profit at a bank or post-surgical infection rates at a hospital. "Anywhere you go, it would be very typical to hear those types of metrics, they're so common, that regardless if a company is privately held, publicly traded, not for profit, for profit, they all use the same metrics," Steven Piliero, chief security officer at the Center for Internet Security, says in an interview with Information Security Media Group.

But until recently, information security lacked such metrics. They do now. The Center for Internet Security this month updated its year-old consensus metrics for information security. The update features eight new metrics to address industry needs such as incident impact and configuration compliance. The revised metrics also include taxonomies to help standardize metrics reporting, along with relationship diagrams for metrics data sets to facilitate easier integration into existing or custom automation solutions.

"The purpose and needs for these is to establish those same business tools for info security professionals to enable them to make better business decisions," Piliero says.

In the interview, conducted by Information Security Media Group's Eric Chabrow, Piliero explains:

  • What are the seven business functions the metrics covered;
  • How the metrics can be used; and
  • How a community of IT security experts achieved a consensus on what the metrics should include.

Before joining the Center for Internet Security in 2008, Piliero served as an executive for a Fortune 100 financial services organization, where he developed and managed enterprise-wide governance, network, systems and application security programs. He has designed and deployed international, multi-site network, security, management and infrastructure for some of the world's largest organizations.

A certified information systems security professional and information security manager, Piliero has contributed standards to the National Institute of Standards and Technology and the National Security Agency, and is an active member of the Information Systems Audit and Control Association and the Information Systems Security Association.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.