Group To Release Metrics To Measure IT Security

How good is your organization’s information security? That question might soon be easier to answer, as the Center for Information Security (CIS) is set to release guidelines for how to measure an organization’s state of security.

In an article on the CSO website, Jeremy Kirk says CIS is going to release the guidelines this fall, and at the same time, launch a service for companies to compare their performance with their peers.

Bert Miuccio, CIS’s CEO, told Kirk the project is aimed at resolving the confusion and lack of uniformity in ways to measure whether an enterprise or organization’s IT security is improving or not.

“The problem that we’ve come to recognize is that information security professionals really are growing more confused on how to define success,” Miuccio told Kirk. “They know that compliance with regulatory requirements and audit frameworks do not necessarily result in improved security and are not the best measures of success.”

Miuccio told Kirk that CIS has assembled 85 information security experts to agree upon methods to measure eight different metrics, which are expected to be available in late October or early November.