Enterprises Need More Effective Cyber Security Metrics

This is the second in a series of five brief summaries about cyber security strategy in the Asia Pacific region.

It’s true that you can’t manage what you can’t measure, but the fact remains that cyber security metrics and theories lack maturity and rigor. Even core ideas like risk and vulnerability are defined differently by different groups. There is no clear, accurate and defensible way to measure success or failure, and this causes enterprises to struggle with making security and risk management decisions. Furthermore, these fundamental problems are only getting worse, since the limited metrics of today are growing even less useful as the world changes.

For example, risk metrics today do a particularly poor job of capturing and analyzing the domino effect of attacks spreading through inter-dependent systems, but our systems are becoming more and more inter-dependent with every passing day.

There’s a real need for effective real-time cyber metrics that can help put enterprises in a proactive stance regarding cyber security. Effective metrics can help bring visibility and awareness to cyber threats and quantify the need for companies to adopt security best practices.

The key example of this for the next five years is going to be security metrics in a world of distributed vulnerabilities and distributed responsibilities, both within organizations, and more importantly, between organizations. In coming years, companies will increasingly be expected to provide detailed insight into their security posture to their customers.

Furthermore, that insight will need to be near-real-time. Today's "once-a-year testimony" of a company's security posture, like SSAE 16, is better than nothing, but will be seen as increasingly inadequate as the world moves faster and faster. By the end of the decade, vendors will be expected to provide evidence of their security status once a minute—not once a year.