How Can You Present Information Security Metrics Better?

How Can You Present Information Security Metrics Better?

‘Actionable’ information security metrics speak millions.

Security professionals continue to struggle with collecting and presenting information security metrics in an effective manner. Attend any information security conference and you will find experts discussing the need for balanced scorecard reporting and the types of information to include in information security metrics reports. Unfortunately, even with all this attention, most security professionals still fail or don’t even try to present the state of security effectively.

I believe the 1st mistake people make when embarking on an information security metrics program is that they don’t initially identify the target and intent of their metrics reporting software.

So… 1st identify the reason behind wanting to create an information security metrics report:

  1. Is the goal to better understand and improve information security management and accountability within your own team?
  2. Or, is the goal to present the state of risk management compliance throughout an organization to upper-level management to gain support and credibility?

In most cases, information security metrics software targets upper management (reason #2), but IT security managers typically provide detailed operational metrics that ultimately mean nothing to executives who want to understand enterprise risk compliance and the likelihood of risk. These executives expect to leverage all of that operational data flowing in from numerous security systems to make smart operational decisions, but they do not want or need to know about percentages, totals or other detailed data that is meant for you because that level of data does not help a non-security leader make risk-based decisions.

If you want to be respected throughout the business (which results in funding and other forms of support), keep the spam statistics, firewall anomaly totals, antivirus percentages, patch level numbers and other geeky information to yourself and interpret and convey that information in these simple terms:

‐ Impact to the organization if something bad happens within a specific security category (i.e. vulnerability management, patch management, DR/BC, awareness, etc.)

‐ Likelihood of impact within a specific security category during a reporting cycle. Think of this as your rating for a reporting period (what went well and what didn’t based off of your analysis of the data).

By focusing on enterprise risk management impact and likelihood ratings, you can level the playing field across all your security concern areas so risk can be displayed consistently on a month-to-month or quarter-to-quarter basis. This also allows you to track trending data to help you make risk-based decisions on where focus should be applied. Displaying this trending data for decision makers also provides them with a view of how their decisions or lack of decisions can impact risk to the organization.

For instance, a past CFO of mine noticed 3 straight months of increased risk in the area of patch management. I also commented that risk was increasing because remote site managers would not grant patch maintenance windows to local IT staff. I immediately received support from the CFO and regional VPs to implement maintenance windows so patching could occur. A simple color-coded line chart displaying risk goes a long way and will build your credibility.

Obviously, you need to track, monitor and understand the data flowing in from all of your systems to be able to make intelligent impact/likelihood decisions for your specific organization and industry. But, if you want to be recognized as a leader in information security metrics and receive support, focus on conveying impact via data driven, graphical charts to really progress your security program and ultimately your career.

To learn about Avatier information security metrics software and unmanned administration, checkout Identity Analyzer and the product Avatier Identity Analyzer Product Introduction video.

Follow Ryan Ward, Avatier Chief Innovation Officer and Chief Information Security Officer, on Twitter at

Watch Ryan Ward, Chief Innovation Officer at Avatier, describe how to return identity and access management to the business user with Avatier’s Identity Access Management software.

Get the Top 10 Identity Manager Migration Best Practices Workbook

top 10 identity manager migration best practicesStart your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.

Request the Workbook

Written by Ryan Ward

Ryan Ward is CISO at Avatier, responsible for security initiatives as well as strategic direction of IAM and security products. A sixteen-year veteran of the security industry, Ward comes to Avatier after five years with MillerCoors where he served as Enterprise Security Manager of the brewing company and USA Information Security Officer for the public company SABMiller. In those positions Ward was responsible for all Information Security initiatives for MillerCoors. Prior to MillerCoors, he served as Senior Information Security Leader at Perot Systems while supporting the Wolters Kluwer account. He previously held the position of Vice President of Information Systems for Allscripts.Ryan is also a Certified Information Systems Auditor (CISA) and a Certified Information Systems Security Professional (CISSP).