Security Metrics Are Useless Without a Plan

There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive–if the security team in an organization doesn’t define its goals and parameters ahead of time, experts say.

Security professionals have been measuring things such as vulnerabilities in a given application and the time it takes to fix flaws for years. Those things are easily quantifiable and it’s fairly simple to define the value in doing so. But there’s likely more value in finding ways to measure things such as the cost of fixing a vulnerability at various stages of the software development lifecycle and the cost of a data breach relative the cost of fixing a flaw before a breach occurs, said Chris Wysopal, CTO of Veracode, in a talk at the AppSec DC conference here Friday.

“Evaluating your spend on this is something that’s really hard to do,” he said. “You want to be headed toward mapping the cost of fixing vulnerabilities up front to the cost of a data breach.”

Source

This entry was posted on Friday, November 13th, 2009 at 11:44 amand is filed under Business, Conference, Looking Ahead, Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply