IT’s security metrics and reporting problem: A communication failure
What used to be a back room, invisible function of enterprise, IT security has been launched into the limelight with high profile data breaches with Sony as the most recently, and reoccurring, example. Enterprises are rightfully bringing IT security to the forefront of the business process, and IT teams are responsible for showing the improvement and success of security programs that are often a significant line item on the books.
Therein lies a new challenge for IT: to develop security metrics and reporting that effectively communicate the successes, failures and potential risks of a security program to business audiences in the enterprise. Wisegate, a peer-based IT advisory, conducted a member survey of hundreds of senior IT professionals to determine their top concerns in assessing security risks. Earlier this year, we shared those top concerns with CSO readers; lack of security metrics and reporting was high on the list.