|
Creating an IT & Information Security Performance Management System
Whether you are automating an existing security metrics initiative or starting one from scratch, having access to the state of the art security metrics and scorecard practices is invaluable. ClearPoint provides a complete solution for launching a successful security metrics effort. Our team of security experts, software professionals, and business process analysts has thoroughly researched the needs of leading organizations and has compiled the key requirements for a system to effectively manage a metrics program: | Key Requirements | Reason for Requirement | | Useful Metrics | | | Useful metrics that fit in the business context and provide actionable results. | Metrics need to describe activity in a meaningful context - such as by business unit - so that action can be taken. | | Transparent metrics that can be trusted, with clear data sources, business logic, and audit trails. | Metrics need to be transparent so that there is no confusion or ambiguity over their calculation – focus on the results not the process. | | Effective communication of performance through customizable scorecards, providing multiple views of the same underlying metrics. | Need to be able to present metric results in the right way for different audiences, all based on the same underlying set of results. | | Reliable System | | | Reliable metric production with scheduled production and on-demand data access. | Metrics production needs to occur on a regular schedule as part of an organization's self-assessment processes. | | Repeatable metrics with low cost computation through automation. | Metrics need automation to be able to be regularly and consistently produced. | | Auditable system, easy to share and inspect metric calculation logic. | It will be necessary to be able to verify how metrics are being calculated internally for audit purposes. | | Scalable and maintainable metrics system. | Need to be able to scale the system with new metrics, retire metrics, add additional users, data sources, and scorecards. | Implementing an effective metrics program is a daunting task without the right solution. The table below highlights how various enterprise solutions meet these key requirements: | | Metric Program System Solutions | | Key Requirements | Spreadsheet | Security Event Manager | Business Intelligence | ClearPoint Metrics
| | Useful business context metrics | Custom metrics can be developed but data access is a problem | Not customizable | Custom metrics require right data access and skills | Enable creation of custom metrics to native data sources without programming knowledge | | Transparent and trusted metrics | Logic buried in cells | Black box | Logic not easy inspected | Atomic, shareable, inspectable metrics | | Effective communication of performance | Custom charts can be built but difficult to integrate and share | Limited to existing views | Can design custom reports | Enables creation and distribution of scorecards
| | Reliable metric production | Manual process | Automatic Calculations | Can be automated but requires warehouse feeds | Full control over production schedule | | Repeatable metrics | Requires manual effort | Yes | Yes | By design | | Auditable system | Logic and data across multiple spreadsheets | Black box calculations assumed to be correct | Requires an amount of investigating | By design, all data access and metric logic is auditable | | Scalable and maintainable metrics system. | Manual process and computation challenges | Not expandable but maintainable | Requires warehousing and difficult to maintain lifecycle | By design, each part of the system scales and the lifecycle is part of the workflow |
|