A: The ability to reference and learn from past incidents, either alone or in compilation, in order to prevent future incidents. In other words… metrics and analysis.
It comes down to the security department’s ability to track, reference and analyze incidents in order to improve security and mitigate risk. Sometimes, it’s about referencing stats so that you can justify your budget for the necessary countermeasures. In other instances, it’s about referencing stats that showcase how well your security department is performing… one month over the next, one year over the next, compared to other organizations in the same geographical area or industry, etc.
Recognizing that we wanted to take a deep dive into the world of security metrics and how it has evolved in recent years, we contacted a former editor of Security Management, Peter Ohlhausen, to get his take on the subject (and to take advantage of his research skills), and we paired him up with our own resident expert, my Co-CEO, Brian McIlravey, CPP. We compiled their findings, then added some fresh insights and examples. The result is a new white paper entitled, Metrics and Analysis in Security Management.