A security industry initiative to collect useful metrics to effect positive change is currently focusing on continuous monitoring.
The metrics project was set up by Qualys in October 2013 as part of the Trustworthy Internet Movement (TIM) established and funded by Qualys chief executive Philippe Courtot in 2012.
TIM aims to tap the power of the global security community to advance industry-wide technology innovations and initiatives for actionable change.
In line with those aims, the security metrics project invites organisations to contribute easily-understandable security metrics that security practitioners can use to present to the business.
The metrics project is currently focused on getting industry input to help develop guidance on how best to do continuous monitoring and to use related tools effectively.
Continuous monitoring is fast becoming a security buzzword, but many security professionals see it is a way for them to regain lost ground to hit back at advanced, persistent attackers.
The US National Institute of Standards and Technology defines the aim of continuous monitoring to be ongoing awareness of vulnerabilities and threats to support risk-based decisions.
The key metric in this context is the frequency of scanning, according to metric project leader, Wolfgang Kandek, chief technology officer at Qualys.
“The aim is to find out how often organisations are carrying out scans to enable them to benchmark themselves against their peers,” he told Computer Weekly.
Kandek believe continuous monitoring is an important area of focus and that organisations should be aiming to carry out scans of their systems at least once every day.
He is still trying to build industry momentum around the security metrics project by engaging with other security suppliers and security professionals within organisations at a grassroots level.
Kandek believe that for far too long CFOs have had the monopoly on interesting metrics to present that demonstrate the financial progress of the business.
His hope is that the metrics project will generate a similar set of proven metrics that non-security people in the business can understand.
More on security metrics
Security metrics fail to aid exec understanding, say IT pros
Video: The keys to identifying risk management metrics
CSA cloud metrics validate perceptions on cloud computing risk
Security Think Tank: Proof of intelligence-led security is in the metrics
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK