We’re told “You can’t manage what you don't measure” – well plainly that is not entirely true since we have been managing information security for decades without decent measures! ... Or have we? A cursory glance at the news headlines reveals glaring examples of security failures and privacy breaches, despite substantial investments in information security.
Experienced information security professionals are growing increasingly cynical. We may win the occasional battle but we are losing the war against hackers, fraudsters, organized criminals, terrorists, pirates, plagiarists, industrial spies, unethical insiders and other adversaries. Metrics are a substantial part of the answer to today's information security management challenges. We cannot continue throwing money at security, guessing at what needs to be done or implementing shiny new products while hoping for the best. We can – and indeed must – do better than that. We need to channel our finite resources more effectively, more intelligently. It’s time for security professionals to step up, take charge, measure and manage information security properly.
This website supports the global community adopting the innovative measurement techniques laid out in the book PRAGMATIC Security Metrics. If you too are struggling to make sense of security metrics, you're in the right place. Browse the tabs and menu top/right or check out changes to the website (most recent at the top):