Today I caught up with a panel session on security metrics at the May 2014 RSA conference involving Alan Shimel, Andrew McCullough, Ivana Cojbasic and Jody Brazil.
Alan told us more than once that security metrics are 'more art than science', implying (possibly) that this stuff is difficult and irrational.
The key questions were:
- What should we measure?
- Who should we show it to?
- How should we show it?
I guess we could add Where, When and Why to complete the set.
Andrew's main point was that metrics must be actionable. Well, yes, Andrew, actionability is an important characteristic of metrics ... but wait, there's more! At least eight more in fact.
Ivana identified three audiences for security metrics: executives, managers and [security] operations/technicians. According to Ivana, "trends" are the best metrics to present to the execs and managers, while technicians need detailed technical metrics, apparently. "Trends" aren't metrics per se, but a basic type or style of metric reporting values over time. Ivana made some vague suggestions about which trends to report, such as compliance and benchmarking trends for execs and "the top three slides" for management, but she didn't really have the time to elaborate.
Despite everybody agreeing that metrics must support or be aligned with business objectives, nobody on the panel made a convincing effort to explain or expand upon the point.
All in all, it was a typical commercial conference panel session, more talking shop than scientific paper, provoking thought rather than offering answers.