Skip to content ↓ | Skip to navigation ↓

You are here. But where is that? As a child, I remember being at the mall, standing in front of the directory map. There was a big dot with an arrow. You are here. Still, I had no context of what that meant. Managing an information security program can sometimes feel like that. Sound familiar? If so, you’re not alone.

On December 3rd, I have the pleasure of speaking at BSidesPhilly on how to build a security metrics program. All too often, people are overwhelmed with data and don’t know where to start. And when they do get started, the signal-to-noise ratio is so low that the value they set out for is distorted.

Size Doesn’t Matter

The size of your program doesn’t matter. Focusing in on simple metrics you can mature with does. What story are you telling? What problem are you trying to solve? Focusing on the critical few, will help you build a narrative that is easy to communicate and build on.

Getting Started

“The best time to plant a tree was 20 years ago. The second best time is now.” – Chinese Proverb

You don’t have to do it all at once. Starting now with directional accuracy is key. Here’s how you get started:

1. Plan

  • Don’t Reinvent the Wheel – inventory your information resources, the infrastructure they reside on and who owns / uses them. This step is so important, that the Center for Internet Security made this their first critical control.
  • Prioritize – build an ordered list of assets to launch your metrics program around. Use data sensitivity, data location and criticality to your core processes. After the first pass, it will be easier to extend the same metrics to lower priority assets.

2. Execute

Build metrics answering the following questions:

  • Efficiency – “How well does the control scale?”
  • Effectiveness – “How well does the control perform?”
  • Efficacy – “How well is your control compared to alternates / other controls?”
  • Trending – “How do you scale / perform over time?”

With this simple approach, you’ll know where you are. More importantly, you’ll be able to craft the right story with the right data proving size doesn’t matter… value does.


0ee6408About the Author: Jim Menkevich is an Information Security, Privacy and Risk Management professional with 17+ years of experience. Through his career, he has lead teams in Cybersecurity, Enterprise Architecture, Systems Integration and Application Development. Jim specializes in applying methodologies, frameworks and ideas outside of the intended domain which generate new and fresh angles to address industry challenges. Jim is currently the Director of Data Protection and Security Governance at Health Partners Plans in Philadelphia.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.