The Smart Techie was renamed Siliconindia India Edition starting Feb 2012 to continue the nearly two decade track record of excellence of our US edition.

February - 2005 - issue > Cover Feature

The metrics Quest: R=AVT

Gary Bahadur
Monday, November 17, 2008
Gary Bahadur
Security has always been viewed as a cost center and never associated with revenue-driving initiative. This makes it difficult to get approval, and justify security budgets and expenditures on software, hardware, personnel, services, training, processes and procedures.

In the past, the effectiveness of security spending has used soft measurements—aspects such as the size of a security staff relative to the annual budget, or by resolution speed or “patches” based on new vulnerabilities or viruses. This created residual space, because it didn’t demonstrate cost savings of preventing digital attacks.

Developing appropriate security risk metrics can help you communicate the business value of an effective security program to your organization’s senior management. Through such metrics, you can assign measurable values to your security posture, allowing you to show tangible results.

Most enterprises have finite budgets to spend on security. If, for instance, you have $100 to spend on security, where and how do you spend that money? Do you need to purchase firewall or an IDS and how does it subsequently impact your environment? Will you at some point lose the value of these devices? At what instance will you receive the most value out of your security investments? Or, are you simply wasting money?

Many IT managers cannot assess to what extent a security device is going to save them, or how much dollar loss will accrue without the use of a particular security device. Suitable security metrics is required in order to measure or track a particular impact, and without a measure of perceived savings it’s useless. Such a metrics not only helps reduce the potential of threat or vulnerability in your environment but also enables you to determine the effectiveness of information security programs.

Share on Twitter
Share on LinkedIn
Share on facebook