Consider yourself to be your company’s new cybersecurity head. Your team has made a strong start in putting up defenses to fend off attacks from hackers and ransomware. You must demonstrate improvements over time to your CEO and customers as cybersecurity threats continue to grow. How do you gauge your progress and present it in a way that is meaningful and quantifiable?  ,
The National Institute of Standards and Technology ( NIST ) has recently revised its draft guidance, which you can use as a road map for developing an actual information security measurement program. The two-volume document, NIST Special Publication ( SP) 800- 55 Revision 2: Measurement Guide for Information Security, provides instructions on creating an efficient program as well as a flexible method for creating information security measures to achieve your organization’s performance objectives. By March 18, 2024, NIST is asking for public feedback on this initial public draft.  ,
The publication is intended to be used in conjunction with any risk management framework, including the Cybersecurity Framework or Risk Management Framework from NIST. It aims to assist organizations in transitioning from broad statements about risk level to a more unified picture based on concrete data.  ,
Everyone manages risk, but many organizations tend to use qualitative descriptions of their risk level, using concepts like five-point scales or stoplight colors, according to Katherine Schroeder, an author of the journal. ” Helping people communicate with data rather than hazy concepts is our goal.”
According to the authors, achieving this goal requires switching from qualitative to quantitative descriptions of risk, which may use broad categories like high, medium, or low risk level. A claim that 98 % of authorized system user accounts belong to current employees and 2 % to former employees would be an example of the latter.  ,
The team created the new draft guidance in part in response to comments from a pre-drafted call and requests from the general public. The increased availability of security-related data and the uncertainty over how to use it effectively were mentioned in large part of that feedback. Although the resulting advice is not prescriptive, Schroeder claimed that its adaptable methodology can assist a number of organizations in developing and then enhancing an information security measurement program that is ideal for them.  ,
” We want people to be able to understand how measurements are made. You do n’t have to crunch every number, she said. Consider factors like your response time and impact on the mission or business, such as additional staff hours, resources required, or impact to the bottom line.” For instance, you might want to determine whether your organization is responding to incidents appropriately. Then, even if you’re not a statistician, you can explain that information in an understandable manner, allowing you to learn how to improve.
The two volumes are intended for various groups of people within a company. The first, which was written primarily for information security experts, offers instructions on how a company can prioritize, choose, and assess specific actions to assess the security that is already in place. The second, which is primarily aimed at the C-suite, provides a multistep workflow for implementing an information security measurement program over time and outlines how an organization can do so.
The authors emphasize that some organizations might want to combine qualitative and quantitative approaches, and that qualitative descriptions are appropriate in some situations. However, concentrating on measurement can improve organizational communication and possibly enhance resource allocation and security.  ,
Metrics offer a common language, using trends and numbers to fill in knowledge gaps, when technical teams and management discuss information security, according to the authors. ” Organizations want to be able to determine how the organization is impacted and whether controls, policies, and procedures are operating effectively and efficiently.” Metrics can be used to assist in prioritizing areas for development, improvement, or resource re-focusing.  ,
NIST suggests creating a Community of Interest ( CoI ) in the Notes to Reviewers so that those interested in information security measurement can collaborate to share knowledge, improve the body of knowledge and resources, and find areas for development.
Email the cyber-measures]at ] list to anyone interested in joining the Information Security Measurement CoI or in commenting on the two-volume draft. nist. gov ( cyber- measures )at ] list]dot ] nist[ / ]